l2cap enhanced retransmission request #1

sheepy9 · 2018-11-05T16:06:51Z

Hello everyone,

Currently we are working on completing BT SIG tests. We are stuck at tests that require l2cap enhanced retransmission request. We are starting the l2test command as follows:

l2test -w -X ertm -P 37

PSM is defined in PTS tool.

Every time we get same error:
"- MTC: The IUT sent a L2CAP_ConfigReq that did not request Enhanced Retransmission Mode."

TEST CASE ID: TC_CMC_BV_01_C

Regards

The text was updated successfully, but these errors were encountered:

Fix segfault caused by buffer over-read. Check that index is not bigger than MAX_INDEX. This bug was found by fuzzing with AFL. Program received signal SIGSEGV, Segmentation fault. 0x0000000000420bb8 in print_packet (tv=<optimized out>, cred=<optimized out>, ident=<optimized out>, index=<optimized out>, channel=<optimized out>, color=<optimized out>, label=<optimized out>, text=<optimized out>, extra=<optimized out>) at monitor/packet.c:317 warning: Source file is more recent than executable. 317 index_list[index].frame != last_frame) { (gdb) bt #0 0x0000000000420bb8 in print_packet (tv=<optimized out>, cred=<optimized out>, ident=<optimized out>, index=<optimized out>, channel=<optimized out>, color=<optimized out>, label=<optimized out>, text=<optimized out>, extra=<optimized out>) at monitor/packet.c:317 #1 0x000000000041a8c3 in packet_new_index (tv=<optimized out>, index=<optimized out>, name=0x7fffffffda68 "rsion 4.18.0-matias-patch2 (x86_64)", label=<optimized out>, type=<optimized out>, bus=<optimized out>) at monitor/packet.c:9818 #2 packet_monitor (tv=0x7fffffffda50, cred=<optimized out>, index=<optimized out>, opcode=<optimized out>, data=0x7fffffffda60, size=<optimized out>) at monitor/packet.c:3881 #3 0x000000000040e177 in control_reader (path=<optimized out>, pager=true) at monitor/control.c:1462 #4 0x0000000000403b00 in main (argc=<optimized out>, argv=<optimized out>) at monitor/main.c:243

Fix segmentation fault caused by buffer over-read in packet_ctrl_open(). Fix is to check that ident_len is not bigger than size. This bug was found by fuzzing btmon with AFL. Program received signal SIGSEGV, Segmentation fault. 0x0000000000419e88 in packet_hexdump (buf=0x7fffffffda7e "22", len=<optimized out>) at monitor/packet.c:3813 3813 str[((i % 16) * 3) + 1] = hexdigits[buf[i] & 0xf]; (gdb) bt #0 0x0000000000419e88 in packet_hexdump (buf=0x7fffffffda7e "22", len=<optimized out>) at monitor/packet.c:3813 #1 0x000000000041eda4 in packet_ctrl_open (tv=<optimized out>, cred=<optimized out>, index=<optimized out>, data=0x7fffffffda7e, size=<optimized out>) at monitor/packet.c:10286 #2 0x000000000041b193 in packet_monitor (tv=0x7fffffffda50, cred=<optimized out>, index=65535, opcode=<optimized out>, data=0x7fffffffda60, size=14) at monitor/packet.c:3957 #3 0x000000000040e177 in control_reader (path=<optimized out>, pager=true) at monitor/control.c:1462 #4 0x0000000000403b00 in main (argc=<optimized out>, argv=<optimized out>) at monitor/main.c:243 (gdb)

bluetoothd[363094]: src/device.c:device_connect_le() Connection attempt to: 00:AA:01:00:00:23 Program received signal SIGSEGV, Segmentation fault. write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793 793 util_debug(server->debug_callback, server->debug_data, (gdb) bt #0 write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793 #1 0x00005555556a5852 in pending_write_result (p=0x555555866030, err=<optimized out>) at src/shared/gatt-db.c:162 #2 0x00005555556a5ac7 in write_timeout (user_data=0x555555866030) at src/shared/gatt-db.c:1879 #3 0x00005555556a9b15 in timeout_callback (user_data=user_data@entry=0x555555864b20) at src/shared/timeout-glib.c:34 #4 0x00007ffff7e1f081 in g_timeout_dispatch (source=source@entry=0x555555864f00, callback=0x5555556a9b00 <timeout_callback>, user_data=0x555555864b20) at ../glib/gmain.c:4705 #5 0x00007ffff7e1e570 in g_main_dispatch (context=0x5555557d9630) at ../glib/gmain.c:3216 #6 g_main_context_dispatch (context=context@entry=0x5555557d9630) at ../glib/gmain.c:3881 #7 0x00007ffff7e1e900 in g_main_context_iterate (context=0x5555557d9630, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3954 #8 0x00007ffff7e1ebf3 in g_main_loop_run (loop=0x5555557d75d0) at ../glib/gmain.c:4148 #9 0x00005555556a9dbd in mainloop_run () at src/shared/mainloop-glib.c:79 #10 0x00005555556aa36a in mainloop_run_with_signal (func=<optimized out>, user_data=0x0) at src/shared/mainloop-notify.c:201 #11 0x00005555555bb9e3 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:770

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

l2cap enhanced retransmission request #1

l2cap enhanced retransmission request #1

sheepy9 commented Nov 5, 2018

l2cap enhanced retransmission request #1

l2cap enhanced retransmission request #1

Comments

sheepy9 commented Nov 5, 2018