query facility during initialization is modified from back
to back invocation to chain manner to keep it inline with
RIL design. All vendor RIL does not support back to back
handling since RIL telephony framework sends the request
synchronously.
The set_band method takes two parameters for band settings, one for gsm
and one for umts. When loaded from storage, and they are not set to
defaults, the band variables can get out of sync when setting the
GsmBand and UmtsBand properties.
After input PIN wrong 3 times, sim main state (include spn_watches)
is freed. but the watch id still be kept by other atoms (network and
gprs), when remove the atom, it will try to remove the watch from
spn_watches, ofono daemon will crash.
rs->imsi is only freed when rs->settings is true. So tweak the logic
inside radio_load_settings to only strdup the imsi when settings
creation has succeeded.
In some cases it is possible that a context is opened after a detach
event has been received, and right before an attach, depending on the
modem. We make sure that those contexts are removed to keep
consistency.
It works by looking for a context with the same APN and tries to use
that. Otherwise it will create it's own.
Then it assigns a gprs context driver and calls it's read_settings if
it exists.
When issuing a Scan() in poor reception while attached to an operator it's
fully possible to get no results, which causes the attached operator to be
cleaned up. In certain scenarios this would cause a use-after-free as there
are still references to this operator.
Transfer the attached operator to the new list regardless of removal caused
by the Scan() results.
This matches the behavior described by the documentation the signal
value returned by the code. This was causing a headache when using
stricter D-Bus wrappers like dbus-c++.
In situations where location changes rapidly, a use-after-free condition
can occur. What happens is that the timeout leaks and then the cbs
struct with the callback is cleaned up, resulting in a SIGSEGV when the
callback occurs from the glib loop.
When the voicecall atom is unregistered we remove all HFP support as
well but were supplying a zero as value to the emulator status
callbacks which caused the process to crash as we were dereferencing
the supplied value always and not respecting a zero as indicator to
reset.
When registering audio cards for the handsfree and gateway roles we
need a way for our users to differentiate between both to decide which
of them they start using for their purpose.
The kernel simply puts a null terminator at index 15 prior to ifr_name
processing. So we do the same.
Original report by:
Sabas Rosales, Blanca E <blanca.e.sabas.rosales@intel.com>
Buffer not null terminated (BUFFER_SIZE_WARNING) buffer_size_warning:
Calling strncpy with a maximum size argument of 16 bytes on destination
array ifr.ifr_ifrn.ifrn_name of size 16 bytes might leave the
destination string unterminated.
92 strncpy(ifr.ifr_name, interface, IFNAMSIZ);
Function: ag_features_list
static const char *list[10]; (Out of bounds write, line 75)
Incrementing i the value is now 10, for “hf-indicators”
Reported by: blanca.e.sabas.rosales@intel.com
TP-OA max length comparisons were incorrect because TP-OA's 7-bit
coded octets transport eleven 8-bit chars. The current code assumed
only 10 chars were possible.
The patch
- increases the array size to 23, (maximum of 22 bytes for UTF8
encoding + null terminator)
- Updates the sanity check to account for the correct maximum
- For encoding, checks the maximum length in UTF8 characters instead of
bytes
Init allocates a SCO audio socket always. oFono should do that
with bluez5 but not with bluez4. This patch starts the refactoring of
the handsfree_audio_manager init/cleanup functionality.
On some architectures the SimManager.Retries property was getting bogus
values. This is because we were sending an array which pointed to int
values instead of the expected unsigned char values.
This fix allocates a temporary array of unsigned chars to hold the
actual D-Bus values being sent. Additionally, the dictionary array is
changed to point to the temporary unsigned char based values instead of
the raw 'int' based retry values.
EF_PNN was not being read properly (see TS 24.008, section 10.5.3.5a,
for network names format), which affected the displayed PLMN name for
some MVNOs. Some modems already read the file and return the right
string: these do not show the problem.
The current bitshift logic in idmap incorrectly uses
the literal 1 for the value to shift in idmap_alloc(),
idmap_take(), and idmap_alloc_next(). This causes the
resulting value to be an int instead of a long, which
results in the wrong bit being set once the number of
bits to shift operand exceeds sizeof(int). Also
on some platforms, the behavior of the left bitshift
operator is undefined when this overflow occurs.
As we won't allow any card to be registered when the kernel doesn't
support defer_setup, we don't need to have the listening SCO socket
open in this case.
If the kernel doesn't support defer_setup for SCO, we shouldn't allow
cards to be registered, because in that case we won't be able to
properly send the file descriptor to the Agent.
So the value might be used directly for D-Bus property emission.
Otherwise D-Bus asserts and screws itself with:
ofonod[7427]: src/sms.c:handle_mwi()
process 7427: arguments to dbus_message_iter_append_basic() were
incorrect, assertion "*bool_p == 0 || *bool_p == 1" failed in file
../../dbus/dbus-message.c line 2549.
It's not possible to be both greater than '9' and less than '0'. This
would lead to accepting things like "#$33#" as activation and "*$33#" as
deactivation, even though the string makes no sense.
src/stk.c: In function ‘__ofono_cbs_sim_download’:
src/stk.c:283:45: error: argument to ‘sizeof’ in ‘memcpy’ call is the
same expression as the source; did you mean to dereference it?
[-Werror=sizeof-pointer-memaccess]
memcpy(&e.cbs_pp_download.page, msg, sizeof(msg));
^
In the case that ofono_handsfree_card_connect_sco() is called outside the
context of a .Connect() call, there's no message we need to reply. This
happens, for example, when the HFP AG plugin initiates a SCO connection when
it receives an AT+BCC command from the HF.
This patch extends SetProperty method of the Handsfree interface
allowing to disable echo canceling and noise reduction feature in
the audio gateway through a D-Bus method call. Once disabled, it
is not allowed to enable it using this procedure.
According to Bluetooth HFP spec: By default, if the AG supports its
own embedded echo canceling and/or noise reduction functions, it shall
have them activated until the AT+NREC command is received. The
configuration set by the HF shall by used by the AG while the Service
Level Connection is active.
Since there isn't a command to query the current value, it is being
assumed that Echo Canceling and Noise Reduction is enabled when the
connection is established and the gateway supports this feature.
HFP 1.6 adds a new feature called Codec Negotitation. For the HF Role,
this feature is stored in bit 8 of the supported features
bitmap.
This patch changes the range of valid HF feature bitmaps to 2^8-1.
Each time an agent registers itself, we check if we support deferred
setup and if the agent has mSBC as a codec, if both checks are true,
we enable wideband speech support.
'defer_setup' will be one of the inputs when enabling or disabling
support for wideband speech codecs, we will only enable wideband
speech support if the kernel supports deferred setup.
So, we have to have this information available, in this case it means
a global variable.
This patch removes the hard-coded CVSD codec, and adds the selected
codec in the NewConnection method call, notifying the agent the codec
previously selected for the audio connection.
This can be set by the modem driver to indicate that the device is
always in the online state when it is enabled. This is useful for
modem drivers that handle both CDMA and GSM devices.
When calling the card's .Connect() method, we should be able to
establish a SCO connection.
Right now, we only have support for establishing the SCO connection
directly, this is what is expected from HFP 1.5 HF/AG devices.
The Audio Card is being created when the NewConnection from BlueZ
Profile is received, and registered when the service level connection
negotiation finishes. This patch rejects SCO connection if the SCO
incoming connection arrives when the service level negotiation is
ongoing.
This patch adds Agent NewConnection call. The card object path, the SCO
file descriptor, and the codec are being passed to the agent. This
initial version supports CVSD codec only.
Unlike the previous implementation in the plugin, the SCO/SLC matching
is done based on the Audio Card objects.
Audio Cards are created when the RFCOMM fd descriptor is received, and
registered when the service level connetion is established.
This patch adds the Bluetooth utility funtions and socket type
declarations to a new header src/bluetooth.h, allowing to share it
between core, and plugins.
This patch adds the initial Handsfree Audio Manager "Register"
method implementation. It adds the parsing of the arguments included
in the message and checks if there is an agent registered already.
Adds the initial implementation of new experimental Handsfree Audio
Manager interface. This patch adds the interface registration and
the declaration of it's methods.
Set Up Call with extra DTMF characters after the phone number should be
set up with only the dialed number. Otherwise we get a sequence like
this:
{VoiceCallManager} [CallAdded] /ifx_0/voicecall01 { LineIdentification =
+012340123456c1c2, Name = , Emergency = False, Multiparty = False,
RemoteHeld = False, State = alerting, RemoteMultiparty = False }
ofonod[32055]: ++++++++ backtrace ++++++++
ofonod[32055]: #0 0x7f6af0ee3b30 in /lib64/libc.so.6
ofonod[32055]: #1 0x4c2466 in __ofono_watchlist_remove_item() at
src/watch.c:57
ofonod[32055]: #2 0x4b5b73 in ofono_sim_remove_spn_watch() at
src/sim.c:2715
ofonod[32055]: #3 0x497c30 in netreg_unregister() at src/network.c:1817
ofonod[32055]: #4 0x4912e1 in __ofono_atom_unregister() at
src/modem.c:277
ofonod[32055]: #5 0x491387 in flush_atoms() at src/modem.c:425
ofonod[32055]: #6 0x4b6cb8 in __ofono_sim_refresh() at src/sim.c:3154
ofonod[32055]: #7 0x4b8c41 in handle_command_refresh() at
src/stk.c:2302
ofonod[32055]: #8 0x4baf0d in
ofono_stk_proactive_command_handled_notify() at src/stk.c:3048
ofonod[32055]: #9 0x46c60f in satn_notify() at
drivers/ifxmodem/stk.c:229
ofonod[32055]: #10 0x7f6af1711455 in /usr/lib64/libglib-2.0.so.0
ofonod[32055]: #11 0x43e729 in at_chat_match_notify() at
gatchat/gatchat.c:421
ofonod[32055]: #12 0x440da8 in received_data() at gatchat/gatio.c:125
ofonod[32055]: #13 0x441834 in dispatch_sources() at
gatchat/gatmux.c:157
ofonod[32055]: #14 0x441bbd in received_data() at gatchat/gatmux.c:215
ofonod[32055]: #15 0x7f6af173dfc3 in /usr/lib64/libglib-2.0.so.0
ofonod[32055]: #16 0x7f6af16ef065 in /usr/lib64/libglib-2.0.so.0
ofonod[32055]: #17 0x7f6af16efd0f in /usr/lib64/libglib-2.0.so.0
ofonod[32055]: #18 0x7f6af16efef9 in /usr/lib64/libglib-2.0.so.0
ofonod[32055]: #19 0x7f6af16f032f in /usr/lib64/libglib-2.0.so.0
ofonod[32055]: #20 0x48f5f8 in main() at src/main.c:249
ofonod[32055]: #21 0x7f6af0ed04bd in /lib64/libc.so.6
ofonod[32055]: +++++++++++++++++++++++++++
When modem is brought online, then sim removed and re-inserted. We
crash when going online again due to the spn related data-structures not
being initialized properly
When the SIM is being refreshed, we try to access the SIM too fast after
the SIM REFRESH proactive command is received. Instead set the sim atom
into the 'RESETTING' state and wait until the modem driver signals the
sim insertion again.
The spec explicitly mentions continuous or repeatable tones. 02.40 only
mentions the RP-ACK tone as a single tone, all other tones seem to be
repeatable
By default, both stderr and syslog messages go to the systemd journal,
which results in duplicate messages being logged.
Thanks to Vinicius Costa Gomes for pointing out this problem.
src/smsutil.c: In function ‘cbs_decode_text’:
src/smsutil.c:4116:16: error: comparison between signed and unsigned
integer expressions [-Werror=sign-compare]
The previous commit fixed the bug, however performing a linear-search
through the entire tx-queue is quite wasteful. The current usage
pattern is to always modify the entry at the tail of the queue, so
optimize.