From ae6d01ea09b2139c6c786af8ab03a87511569c90 Mon Sep 17 00:00:00 2001 From: xuchenchen Date: Tue, 4 Jun 2024 14:16:18 +0800 Subject: [PATCH] mgmt: Fix crash after pair command (cherry picked from commit 528de94e8c5311d12d3bba4e37002aeaf19648ae) --- Fix-crash-after-pair-command.patch | 77 ++++++++++++++++++++++++++++++ bluez.spec | 6 ++- 2 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 Fix-crash-after-pair-command.patch diff --git a/Fix-crash-after-pair-command.patch b/Fix-crash-after-pair-command.patch new file mode 100644 index 0000000..69320c8 --- /dev/null +++ b/Fix-crash-after-pair-command.patch @@ -0,0 +1,77 @@ +From 60d60166e4bfae8555fb671e5a99952586cc6b56 Mon Sep 17 00:00:00 2001 +From: Vinit Mehta +Date: 2023-12-19 11:58:01 +0530 +Subject: [PATCH] Fix crash after pair command + +After pair command, if the user doesn't provide any input on bluetoothctl +CLI interface after receiving the prompt(yes/no) below crash is observed: + +dbus[782]: arguments to dbus_message_get_no_reply() were incorrect, +assertion "message != NULL" failed in file +/usr/src/debug/dbus/1.14.10-r0/dbus/dbus-message.c line 3250. +This is normally a bug in some application using the D-Bus library. +/usr/lib/libc.so.6(+0x27534) [0xffffa1b67534] +/usr/lib/libc.so.6(__libc_start_main+0x9c) [0xffffa1b6760c] +bluetoothctl(+0x188f0) [0xaaaac9c088f0] +Aborted (core dumped) + +--- + client/agent.c | 15 +++++++++------ + tools/btmgmt.c | 12 +++++++++--- + 2 files changed, 18 insertions(+), 9 deletions(-) + +diff --git a/client/agent.c b/client/agent.c +index 4def1b4..77aa565 100644 +--- a/client/agent.c ++++ b/client/agent.c +@@ -90,14 +90,17 @@ static void confirm_response(const char *input, void *user_data) + { + DBusConnection *conn = user_data; + +- if (!strcmp(input, "yes")) +- g_dbus_send_reply(conn, pending_message, DBUS_TYPE_INVALID); +- else if (!strcmp(input, "no")) +- g_dbus_send_error(conn, pending_message, ++ if (pending_message != NULL) { ++ if (!strcmp(input, "yes")) ++ g_dbus_send_reply(conn, pending_message, ++ DBUS_TYPE_INVALID); ++ else if (!strcmp(input, "no")) ++ g_dbus_send_error(conn, pending_message, + "org.bluez.Error.Rejected", NULL); +- else +- g_dbus_send_error(conn, pending_message, ++ else ++ g_dbus_send_error(conn, pending_message, + "org.bluez.Error.Canceled", NULL); ++ } + } + + static void agent_release(DBusConnection *conn) +diff --git a/tools/btmgmt.c b/tools/btmgmt.c +index f631de4..de7d17d 100644 +--- a/tools/btmgmt.c ++++ b/tools/btmgmt.c +@@ -843,10 +843,16 @@ static void prompt_input(const char *input, void *user_data) + &prompt.addr); + break; + case MGMT_EV_USER_CONFIRM_REQUEST: +- if (input[0] == 'y' || input[0] == 'Y') +- mgmt_confirm_reply(prompt.index, &prompt.addr); +- else ++ if (len) { ++ if (input[0] == 'y' || input[0] == 'Y') ++ mgmt_confirm_reply(prompt.index, &prompt.addr); ++ else ++ mgmt_confirm_neg_reply(prompt.index, ++ &prompt.addr); ++ } else { + mgmt_confirm_neg_reply(prompt.index, &prompt.addr); ++ bt_shell_set_prompt(PROMPT_ON); ++ } + break; + } + } +-- +2.27.0 + diff --git a/bluez.spec b/bluez.spec index 5cb06d2..b59e850 100644 --- a/bluez.spec +++ b/bluez.spec @@ -1,7 +1,7 @@ Name: bluez Summary: Bluetooth utilities Version: 5.54 -Release: 14 +Release: 15 License: GPLv2+ URL: http://www.bluez.org/ Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz @@ -36,6 +36,7 @@ Patch6012: backport-0002-CVE-2022-39177.patch Patch6013: backport-CVE-2023-27349.patch Patch6014: backport-CVE-2023-45866.patch Patch6015: backport-CVE-2023-50229-CVE-2023-50230.patch +Patch6016: Fix-crash-after-pair-command.patch BuildRequires: dbus-devel >= 1.6 libell-devel >= 0.28 autoconf BuildRequires: git-core glib2-devel libical-devel readline-devel @@ -192,6 +193,9 @@ make check %{_mandir}/man8/* %changelog +* Tue Jun 4 2024 xuchenchen - 5.54-15 +- mgmt: Fix crash after pair command + * Fri Dec 22 2023 zhouwenpei - 5.54-14 - fix CVE-2023-50229,CVE-2023-50230 -- Gitee