fix: both feature/src/feature_bluetooth_util in feature_bluetooth_util.c#588
Open
orbisai0security wants to merge 895 commits into
Open
fix: both feature/src/feature_bluetooth_util in feature_bluetooth_util.c#588orbisai0security wants to merge 895 commits into
orbisai0security wants to merge 895 commits into
Conversation
bug: v/81589 remove global var g_sal_ag_sync_conn and sync call by addr Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81504 Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/80268 Rootcause: Not unregister callbacks when cleanup. Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81522 When event_id == BT_AVRCP_EVT_VOLUME_CHANGED, flag = true is set only if both CONFIG_BLUETOOTH_AVRCP_ABSOLUTE_VOLUME and CONFIG_BLUETOOTH_AVRCP_CONTROL are enabled. Otherwise in the else branch, flag = true is set only if CONFIG_BLUETOOTH_AVRCP_TARGET is enabled. All configurations are enabled, treating flag as always true, making the if (!flag) condition unreachable. Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81702 Fixed memory leak caused by premature return. Signed-off-by: liuxiang18 <liuxiang18@xiaomi.com>
bug: v/80258 Rootcause: attributes in bt_sdp_discover_params may be modified by ZBlue SDP. Using const could cause a crash in some cases Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81752 Rootcause: audio_connect should not be called in bluetoothd task Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81968 Rootcause: disconnected_callback not called caused connect info not cleared in connection manager module Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
… an asynchronous API. bug: v/81682 When priv dynamically allocates memory successfully but fails later due to other reasons before reaching the assignment ins->priv = priv;, the memory allocated to priv cannot be freed in bt_socket_async_client_deinit, leading to a resource leak. Signed-off-by: jialu <jialu@xiaomi.com>
…se functions bug: v/80811 Rootcause: In certain scenarios, users of `euv_pipe` must ensure all UV requests have completed execution before releasing resources. Consequently, it is necessary to notify users that `euv_pipe` has been fully released after its close operation is completed, thereby permitting subsequent operational procedures to proceed. Support for the close callback has therefore been added. Signed-off-by: chejinxian1 <chejinxian1@xiaomi.com>
…e callback bug: v/80808 Rootcause: In high-throughput reception scenarios, situations may arise where the `write_cb` for SPP data transmission to the application has not yet completed, yet the SPP device is released due to an abrupt disconnection, thereby preventing notification to the protocol stack that data reception has concluded. To circumvent this issue, it is imperative to ensure all write operations are finalised before releasing the SPP device. Consequently, an `euv_pipe` close callback implementation has been introduced to guarantee that all `write_cb` operations execute successfully prior to severing the data pathway. Signed-off-by: chejinxian1 <chejinxian1@xiaomi.com>
bug: v/74709
only open CONFIG_BLUETOOTH_AVRCP_CONTROL or CONFIG_BLUETOOTH_AVRCP_ABSOLUTE_VOLUME can build in bt_avrcp_control_notification_cb.
error: 'bt_avrcp_info_find_by_ct' undeclared (first use in this function); did you mean 'bt_avrcp_info_find_by_tg'?
1501 | avrcp_info = bt_list_find(bt_avrcp_conn, bt_avrcp_info_find_by_ct, ct);
| ^~~~~~~~~~~~~~~~~~~~~~~~
| bt_avrcp_info_find_by_tg
Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
bug: v/82095 The spp_connect_handler was attempting to look up the SPP connection by rfcomm_dlc before it was added to the connection list, causing "SPP connection not found for rfcomm_dlc" error. Root Cause: The connection object wasn't in the global connection list at the time of lookup, making spp_find_connection_by_dlc() always fail. Fix: Pass the spp_conn pointer directly as user_data to avoid the lookup, and add it to the connection list after successful initialization. Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
bug: v/81925 Add a generic descriptor allocation path, matching alloc_characteristic() style. Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
bug: v/81958 Some services are marked with GATT_PROP_EXPOSED_OVER_BREDR, but current not implement gatt over bredr. As a temporary workaround, clear this flag when calling add_service() so the service is exposed over BLE. Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
bug: v/82081 `bt_le_scan.h` is a globally exposed header file. Then, Zephyr's `#include <zephyr/bluetooth/bluetooth.h>` is declared as a private inclusion of Zephyr in CMake. However, the problem is that when third-party apps use my global `bt_le_scan.h`, the CMake system doesn't know where `zephyr/bluetooth/bluetooth.h` is and throws an error. One solution is for the third-party app to also declare a private inclusion of Zephyr in CMake, but this doesn't conform to design principles. The app only needs to be concerned with my framework layer. If the app also needs to include Zephyr's header files, then the framework layer is not properly configured. Therefore, `zephyr/bluetooth/bluetooth.h` must not be explicitly included in `bt_le_scan`. Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
bug: v/82104 The number of gatts sal DB attributes was insufficient for miwear's needs, so it was increased to a margin of 60. Future memory optimization projects will no longer maintain static arrays. Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
bug: v/81701 Rootcause: dereference null. Signed-off-by: Yuheng Li <liyuheng@xiaomi.com>
bug: v/81701 Rootcause: unnecessary malloc Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81924 By default, just working (no I/O) should automatically accept user confirmation, but for compatibility with the watch app, app confirmation is required. Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
bug: v/59050 Rootcause:When reconnect to the headset during a call, the headset will obtain the call status through the cind command. Since Vela does not have modem, the status will be error. So, get cind from Android. Signed-off-by: zhangyuan20 <zhangyuan20@xiaomi.com>
bug: v/61170 Signed-off-by: zhangyuan20 <zhangyuan20@xiaomi.com>
bug: v/81520 In `spp_find_connection_by_sdp_param` and `spp_connect_with_uuid`, the pointer `spp_conn` was dereferenced before the NULL check. This patch ensures the pointer is validated before access to avoid potential crashes. Signed-off-by: v-yichenxi <v-yichenxi@xiaomi.com>
bug: v/82928 Remove the redundant stack variable bd_addr, which already exists in sal_conn. Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/82928 Rootcause: bt_sal_get_remote_address may fail Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
support. bug: v/65087 Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
…global database hash. bug :v/65095 The logic is implemented in gatts_service.c to trigger hash calculation and return the result via a registered callback, for trusted device sync and DB change tracking. Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
…h from adapter to profile. bug: v/65126 Root cause: Adapter had no generic message path to deliver events to profile services. GATTS could not receive a request to fetch the server database hash. Add adapter handler to forward profile_msg_t to service_manager. Add PROFILE_EVT_GATTS_REQUEST_DB_HASH and handle it in gatts_service via process_msg. Wire bt_sal_gatt_server_get_database_hash() call when the event is received. Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
bug: v/65129 Root cause: The stack did not compute and store the server GATT database hash on initial bonding. Peers could keep a stale GATT cache because no hash update was triggered. When a bonded LE device is connected, send PROFILE_EVT_GATTS_REQUEST_DB_HASH. Force hash update to start cache sync for the new bond. Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
bug: v/87679 When ACL connection fails (e.g., Page Timeout), profile handlers were not triggered, causing upper layer to wait for timeout instead of receiving immediate disconnection notification. This patch: 1. Triggers pending profile handlers when ACL disconnects, allowing them to detect failure via bt_conn_lookup_addr_br() returning NULL 2. Ensures all profile connect handlers have complete error callbacks in their failure paths Affected profiles: HFP HF/AG, A2DP Source/Sink, AVRCP, GATTS BR Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
after bt_conn_create_br succeeds (conn enters BT_CONN_INITIATING internally, which maps to BT_CONN_STATE_CONNECTING publicly), send CONNECTION_STATE_CONNECTING event to upper layers via adapter_on_connection_state_changed. Previously only incoming connections (zblue_on_connect_req) notified CONNECTING state; outgoing connections jumped directly from DISCONNECTED to CONNECTED, causing upper layers to miss the intermediate state. Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
bug: v/88680 Rootcause: hfp_hf_voice_volume_change_callback runs in media policy thread while set_volume_cnt is read/written in hf_stm service loop thread, causing a race condition. Move set_volume_cnt check and media_volume update from the callback into a new HF_MEDIA_VOLUME_CHANGED event handler in the service loop, so all accesses run in the same thread without needing a lock. Signed-off-by: zhangyuan20 <zhangyuan20@xiaomi.com>
bug: v/88931 Narrow each SBC codec IE entry to a single channel mode and sampling frequency combination, ordered by preference: 44.1kHz Joint Stereo > 48kHz Joint Stereo > 44.1kHz Stereo > 48kHz Stereo > 44.1kHz Dual > 48kHz Dual > 44.1kHz Mono > 48kHz Mono. Fix block length and allocation method comments. Signed-off-by: jialu <jialu@xiaomi.com>
bug: v/88196 Rootcause: Concurrent bt_sal_connect calls send multiple HCI Create Connection commands before the first completes, causing controller to reject with Command Disallowed. Add a pending queue to serialize ACL connect requests, dispatching the next via sal_send_req only after zblue_on_connected callback fires. Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
bug: v/87939 Move all synchronous zblue HID API calls from service_loop/sysworkq context to worker thread via service_loop_work() to avoid blocking. The affected functions are: - bt_sal_hid_device_send_report (bt_hid_device_send_intr_data) - bt_sal_hid_device_get_report_response (bt_hid_device_send_ctrl_data) - bt_sal_hid_device_report_error (bt_hid_device_report_error) - bt_sal_hid_device_virtual_unplug (bt_hid_device_virtual_unplug) - hid_get_protocol_callback (bt_hid_device_send_ctrl_data) These calls internally invoke bt_conn_create_pdu_timeout which may block, causing service_loop stalls. Signed-off-by: v-yichenxi <v-yichenxi@xiaomi.com>
bug: v/87673 Rootcause: bt_sal_hfp_hf_set_volume and bt_sal_hfp_ag_set_volume directly call zblue API (bt_hfp_hf_vgm/vgs, bt_hfp_ag_vgm/vgs) in the caller's context. During volume adjustment stress testing on iOS calls, rapid consecutive invocations can cause deadlock. Move the actual zblue API calls into service_loop_work to serialize execution in the service loop, preventing concurrent access issues. Signed-off-by: liyuheng <liyuheng@xiaomi.com>
bug: v/87673 Rootcause: Multiple bt_sal_hfp_ag_* functions directly call zblue Z_API() in the caller's context, which can cause concurrent access issues similar to the set_volume deadlock. Move all remaining AG interfaces (voice_recognition, cind_response, dial_response, cops_response, notify_device_status_changed, set_inband_ring_enable, send_at_cmd, error_response) into service_loop_work to serialize execution in the service loop. Signed-off-by: liyuheng <liyuheng@xiaomi.com>
bug: v/87673 Rootcause: Multiple bt_sal_hfp_hf_* functions directly call zblue Z_API() in the caller's context, which can cause concurrent access issues. Move all remaining HF interfaces (answer_call, reject_call, hold_call, hangup_call, dial_number, dial_memory, call_control, get_current_calls, voice_recognition, send_battery_level, send_at_cmd, send_dtmf, get_subscriber_number) into service_loop_work to serialize execution in the service loop. Signed-off-by: liyuheng <liyuheng@xiaomi.com>
bug: v/87935 Rootcause: The global connection list g_sal_ag_conn_list in sal_hfp_ag_interface.c is accessed by multiple threads (zblue callback thread, service work thread, upper layer API thread) without any synchronization, which may cause data race, list corruption, use-after-free or crash. Add a pthread recursive mutex (g_sal_ag_conn_lock) with wrapper functions conn_list_lock()/conn_list_unlock() to protect all accesses to g_sal_ag_conn_list and calls sub-lists. The mutex is initialized in bt_sal_hfp_ag_init() and destroyed in bt_sal_hfp_ag_cleanup(). NULL checks for the list pointer are moved inside the lock scope to avoid TOCTOU races. Signed-off-by: liyuheng <liyuheng@xiaomi.com>
bug: v/87935 Rootcause: The global connection list g_sal_hf_conn_list in sal_hfp_hf_interface.c is accessed by multiple threads (zblue callback thread, service work thread, upper layer API thread) without any synchronization, which may cause data race, list corruption, use-after-free or crash. Add a pthread recursive mutex (g_sal_hf_conn_lock) with wrapper functions conn_list_lock()/conn_list_unlock() to protect all accesses to g_sal_hf_conn_list and calls sub-lists. The mutex is initialized in bt_sal_hfp_hf_init() and destroyed in bt_sal_hfp_hf_cleanup(). NULL checks for the list pointer are moved inside the lock scope to avoid TOCTOU races. Signed-off-by: liyuheng <liyuheng@xiaomi.com>
bug: v/88938 When acting as A2DP ACP, if the remote side disconnects ACL right after Set Configuration (before media channel is established), a2dp_info->stream is freed in a2dp_info_destroy() while zblue's ep->stream still references the same memory. The subsequent avdtp_release_work() then accesses freed memory (use-after-free). Fix by deferring a2dp_info cleanup in zblue_on_disconnected() when stream is still alive. The cleanup is completed later in zblue_on_stream_released() after zblue finishes its release work. Also guard DISCONNECTED_EVT in zblue_on_stream_released() to only fire when media channel was actually established, avoiding duplicate events with zblue_on_disconnected(). Add debug logging to a2dp_info_destroy, zblue_on_stream_configured, zblue_on_stream_released, and zblue_on_disconnected for easier diagnosis. Signed-off-by: Lu Jia <jialu@xiaomi.com>
bug: v/90257 Add log privacy as bitmask enum to support multiple privacy types. Currently supports address privacy (BIT 0), extensible for future types (e.g., name privacy). - bt_addr.c/h: bt_addr_set_privacy()/bt_addr_get_privacy() for address masking - log.h: enum bt_log_privacy_ bitmask, DEFAULT_BT_LOG_PRIVACY macro, bt_log_set_privacy() declaration - log_server.c: privacy_flags in g_logger, bt_log_set_privacy() dispatches by changed bits, init/monitor via kvdb - tools/log.c: bttool log privacy <bit> <0|1> - Kconfig: BLUETOOTH_LOG_PRIVACY (int, default 0) Signed-off-by: liuxiang18 <liuxiang18@xiaomi.com>
bug: v/88766 Add CS state machine encryption state, RAP GATTC connection in connected state, framework API and socket IPC for RAP operations, build system integration, and bttool le_cs command updates. Signed-off-by: huangyulong3 <huangyulong3@xiaomi.com>
bug: v/88762 Add CS RAP (Ranging Application Profile) implementation including segment reassembly, step data restoration, Mode1 size detection, RTT and phase-based distance calculation algorithms, and le_rap command line tool. Signed-off-by: huangyulong3 <huangyulong3@xiaomi.com>
bug: v/88765 Add cs_rap_gattc module for RAP GATT Client operations including RAS service discovery, feature read, real-time and on-demand data subscription, control point write, and lost segment retrieval. Signed-off-by: huangyulong3 <huangyulong3@xiaomi.com>
bug: v/88240 Add null pointer and length check before memcpy in if_gattc_on_element_read to prevent crash when stack reports a read result with null value pointer. Signed-off-by: liuxiang18 <liuxiang18@xiaomi.com>
bug: v/88246 - Add helper to find the service declaration element from any characteristic or descriptor element within the same service table - Add PTS mode check in read_value to reject cross-transport access: BR conn to LE-only service or LE conn to BR-only service returns 0x80 Signed-off-by: liuxiang18 <liuxiang18@xiaomi.com>
orbisai0security
requested review from
chengkai15,
gzh-terry,
huangyulong3,
hyson710,
zhangyuan376 and
zhongzhijie1
as code owners
❌ CLA Signature Required@orbisai0security Some contributors need to sign the CLA:
Please:
📋 View detailed check results: Action Run #25542740788 💡 Tip: All contributors must sign the CLA before the PR can be merged. |
Contributor
|
Hi @orbisai0security BTW, we usually use |
Automated security fix generated by Orbis Security AI
orbisai0security
force-pushed
the
fix-v-001-strcpy-buffer-overflow
branch
from
e48cdfe to
a142520
Compare
Author
I've made these changes, can you take a look again? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix critical severity security issue in
feature/src/feature_bluetooth_util.c.Vulnerability
V-001feature/src/feature_bluetooth_util.c:85Description: Both feature/src/feature_bluetooth_util.c:85 and feature/feature_async/src/feature_bluetooth_util.c:31 use strcpy() to copy a string (str) into a destination buffer (ftStr) without any length validation. strcpy() performs no bounds checking and copies until a null terminator is found in the source, regardless of the destination buffer size. If the source string originates from or is influenced by Bluetooth peer data (device names, service names, BLE advertisement data), a malicious peer can supply a string longer than ftStr to overflow the buffer, overwriting adjacent stack or heap memory including return addresses and function pointers.
Changes
feature/src/feature_bluetooth_util.cfeature/feature_async/src/feature_bluetooth_util.cVerification
Automated security fix by OrbisAI Security