[bluez] Add crasher fixes (rhbz #1027365)

Bastien Nocera hadess at fedoraproject.org
Tue Dec 10 08:25:19 UTC 2013 

commit 2a3b1dd3d1a0540808ccddc87900120b24c2798e
Author: Bastien Nocera <hadess at hadess.net>
Date:   Tue Dec 10 01:17:37 2013 +0100

    Add crasher fixes (rhbz #1027365)

 ...-GLib-helper-function-to-manipulate-paths.patch |   38 +++++++++++++
 0002-autopair-Don-t-handle-the-iCade.patch         |   47 ++++++++++++++++
 ...Fix-crash-when-SDP-record-isn-t-available.patch |   29 ++++++++++
 0004-agent-Assert-possible-infinite-loop.patch     |   25 +++++++++
 ...ash-due-to-agent-callback-freeing-the-age.patch |   56 ++++++++++++++++++++
 bluez.spec                                         |   10 +++-
 6 files changed, 204 insertions(+), 1 deletions(-)
---
diff --git a/0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch b/0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
new file mode 100644
index 0000000..004a389
--- /dev/null
+++ b/0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
@@ -0,0 +1,38 @@
+From f7861d27fbcbc519f57d8496aa9486f487908821 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess at hadess.net>
+Date: Sat, 9 Nov 2013 18:13:43 +0100
+Subject: [PATCH 1/5] obex: Use GLib helper function to manipulate paths
+
+Instead of trying to do it by hand. This also makes sure that
+relative paths aren't used by the agent.
+---
+ obexd/src/manager.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/obexd/src/manager.c b/obexd/src/manager.c
+index cec8a39..f18896e 100644
+--- a/obexd/src/manager.c
++++ b/obexd/src/manager.c
+@@ -651,14 +651,14 @@ static void agent_reply(DBusPendingCall *call, void *user_data)
+ 				DBUS_TYPE_STRING, &name,
+ 				DBUS_TYPE_INVALID)) {
+ 		/* Splits folder and name */
+-		const char *slash = strrchr(name, '/');
++		gboolean is_relative = !g_path_is_absolute(name);
+ 		DBG("Agent replied with %s", name);
+-		if (!slash) {
+-			agent->new_name = g_strdup(name);
++		if (is_relative) {
++			agent->new_name = g_path_get_basename(name);
+ 			agent->new_folder = NULL;
+ 		} else {
+-			agent->new_name = g_strdup(slash + 1);
+-			agent->new_folder = g_strndup(name, slash - name);
++			agent->new_name = g_path_get_basename(name);
++			agent->new_folder = g_path_get_dirname(name);
+ 		}
+ 	}
+ 
+-- 
+1.8.4.2
+
diff --git a/0002-autopair-Don-t-handle-the-iCade.patch b/0002-autopair-Don-t-handle-the-iCade.patch
new file mode 100644
index 0000000..68751ae
--- /dev/null
+++ b/0002-autopair-Don-t-handle-the-iCade.patch
@@ -0,0 +1,47 @@
+From c16ae7041c7511d8d1ed8441f696716fa6a9117e Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess at hadess.net>
+Date: Tue, 19 Nov 2013 14:11:39 +0100
+Subject: [PATCH 2/5] autopair: Don't handle the iCade
+
+We can't easily enter digits other than 1 through 4 (inclusive)
+so leave it up to the agent to figure out a good passcode
+for the iCade.
+
+Note that we can not use the VID/PID of the device, as it is not
+yet known at that point.
+---
+ plugins/autopair.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/autopair.c b/plugins/autopair.c
+index 8c98c12..5d2f6f7 100644
+--- a/plugins/autopair.c
++++ b/plugins/autopair.c
+@@ -57,13 +57,23 @@ static ssize_t autopair_pincb(struct btd_adapter *adapter,
+ {
+ 	char addr[18];
+ 	char pinstr[7];
++	char name[25];
+ 	uint32_t class;
+ 
+ 	ba2str(device_get_address(device), addr);
+ 
+ 	class = btd_device_get_class(device);
+ 
+-	DBG("device %s 0x%x", addr, class);
++	device_get_name(device, name, sizeof(name));
++	name[sizeof(name) - 1] = 0;
++
++	DBG("device %s (%s) 0x%x", addr, name, class);
++
++	g_message ("vendor 0x%X product: 0x%X", btd_device_get_vendor (device), btd_device_get_product (device));
++
++	/* The iCade shouldn't use random PINs like normal keyboards */
++	if (name != NULL && strstr(name, "iCade") != NULL)
++		return 0;
+ 
+ 	/* This is a class-based pincode guesser. Ignore devices with an
+ 	 * unknown class.
+-- 
+1.8.4.2
+
diff --git a/0003-input-Fix-crash-when-SDP-record-isn-t-available.patch b/0003-input-Fix-crash-when-SDP-record-isn-t-available.patch
new file mode 100644
index 0000000..de22106
--- /dev/null
+++ b/0003-input-Fix-crash-when-SDP-record-isn-t-available.patch
@@ -0,0 +1,29 @@
+From 1da26fd3ce47728f423e290e3928257ead9baf76 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess at hadess.net>
+Date: Sat, 7 Dec 2013 15:51:47 +0100
+Subject: [PATCH] input: Fix crash when SDP record isn't available
+
+On startup, if the SDP cache has been removed but the pairing
+information is still present, we'd crash trying to access inside a
+NULL record struct.
+---
+ profiles/input/device.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 6523161..8a28b0d 100644
+--- a/profiles/input/device.c
++++ b/profiles/input/device.c
+@@ -811,6 +811,9 @@ static struct input_device *input_device_new(struct btd_service *service)
+ 	struct input_device *idev;
+ 	char name[HCI_MAX_NAME_LENGTH + 1];
+ 
++	if (!rec)
++		return NULL;
++
+ 	idev = g_new0(struct input_device, 1);
+ 	bacpy(&idev->src, adapter_get_address(adapter));
+ 	bacpy(&idev->dst, device_get_address(device));
+-- 
+1.8.4.2
+
diff --git a/0004-agent-Assert-possible-infinite-loop.patch b/0004-agent-Assert-possible-infinite-loop.patch
new file mode 100644
index 0000000..2746e0c
--- /dev/null
+++ b/0004-agent-Assert-possible-infinite-loop.patch
@@ -0,0 +1,25 @@
+From 67e5477687a2753d3f7b300bcfdc74464d8ad41f Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess at hadess.net>
+Date: Mon, 9 Dec 2013 18:04:56 +0100
+Subject: [PATCH 4/5] agent: Assert possible infinite loop
+
+---
+ src/agent.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/agent.c b/src/agent.c
+index bcba969..b292881 100644
+--- a/src/agent.c
++++ b/src/agent.c
+@@ -203,6 +203,8 @@ void agent_unref(struct agent *agent)
+ 	if (agent->ref > 0)
+ 		return;
+ 
++	g_assert (agent->ref == 0);
++
+ 	if (agent->request) {
+ 		DBusError err;
+ 		agent_pincode_cb pincode_cb;
+-- 
+1.8.4.2
+
diff --git a/0005-core-Fix-crash-due-to-agent-callback-freeing-the-age.patch b/0005-core-Fix-crash-due-to-agent-callback-freeing-the-age.patch
new file mode 100644
index 0000000..4c86cce
--- /dev/null
+++ b/0005-core-Fix-crash-due-to-agent-callback-freeing-the-age.patch
@@ -0,0 +1,56 @@
+From 28419bdc2fd093bcbc68b629b9c7b8c295260c57 Mon Sep 17 00:00:00 2001
+From: Szymon Janc <szymon.janc at gmail.com>
+Date: Mon, 9 Dec 2013 20:20:55 +0100
+Subject: [PATCH 5/5] core: Fix crash due to agent callback freeing the agent
+
+Similar fix was provided for simple_agent_reply in a2f5d438 but missed
+pincode_reply case.
+
+Fix following:
+
+src/agent.c:agent_disconnect() Agent :1.48 disconnected
+src/agent.c:set_default_agent() Default agent cleared
+src/agent.c:agent_destroy() agent :1.48
+src/agent.c:agent_unref() 0x4701c68: ref=1
+Agent /org/bluez/agent replied with an error:
+    org.freedesktop.DBus.Error.NoReply, Message did not receive a reply
+    (timeout by message bus)
+src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
+    pinlen 0
+src/agent.c:agent_unref() 0x4701c68: ref=0
+src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
+    pinlen 0
+src/agent.c:agent_unref() 0x4701c68: ref=-1
+src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
+    pinlen 0
+src/agent.c:agent_unref() 0x4701c68: ref=-2
+...
+---
+ src/agent.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/agent.c b/src/agent.c
+index b292881..2ec3183 100644
+--- a/src/agent.c
++++ b/src/agent.c
+@@ -428,6 +428,9 @@ static void pincode_reply(DBusPendingCall *call, void *user_data)
+ 	 * is only called after a reply has been received */
+ 	message = dbus_pending_call_steal_reply(call);
+ 
++	/* Protect from the callback freeing the agent */
++	agent_ref(agent);
++
+ 	dbus_error_init(&err);
+ 	if (dbus_set_error_from_message(&err, message)) {
+ 		error("Agent %s replied with an error: %s, %s",
+@@ -467,6 +470,7 @@ done:
+ 	dbus_pending_call_cancel(req->call);
+ 	agent->request = NULL;
+ 	agent_request_free(req, TRUE);
++	agent_unref(agent);
+ }
+ 
+ static int pincode_request_new(struct agent_request *req, const char *device_path,
+-- 
+1.8.4.2
+
diff --git a/bluez.spec b/bluez.spec
index a926032..3c5ee6a 100644
--- a/bluez.spec
+++ b/bluez.spec
@@ -3,7 +3,7 @@
 Summary: Bluetooth utilities
 Name: bluez
 Version: 5.11
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: Applications/System
 URL: http://www.bluez.org/
@@ -17,6 +17,11 @@ Patch1: playstation-peripheral-pugin-v5.x.patch
 Patch2: 0001-work-around-Logitech-diNovo-Edge-keyboard-firmware-i.patch
 # Non-upstream
 Patch3: 0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch
+Patch4: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
+Patch5: 0002-autopair-Don-t-handle-the-iCade.patch
+Patch6: 0003-input-Fix-crash-when-SDP-record-isn-t-available.patch
+Patch7: 0004-agent-Assert-possible-infinite-loop.patch
+Patch8: 0005-core-Fix-crash-due-to-agent-callback-freeing-the-age.patch
 
 BuildRequires: git
 BuildRequires: dbus-devel >= 0.90
@@ -228,6 +233,9 @@ mkdir -p $RPM_BUILD_ROOT/%{_libdir}/bluetooth/
 /lib/udev/rules.d/97-hid2hci.rules
 
 %changelog
+* Tue Dec 10 2013 Bastien Nocera <bnocera at redhat.com> 5.11-2
+- Add crasher fixes (rhbz #1027365)
+
 * Mon Nov 18 2013 Bastien Nocera <bnocera at redhat.com> 5.11-1
 - Update to 5.11

More information about the scm-commits mailing list