The VOCS discover callback may call vcp_vol_ctlr_discover_complete()
with a NULL vol_ctlr when lookup_vcp_by_vocs() fails.
This leads to a potential NULL pointer dereference as
vcp_vol_ctlr_discover_complete() unconditionally accesses
vol_ctlr->flags.
Fix this by returning early when vol_ctlr is NULL.
Signed-off-by: Gaetan Perrot <gaetan.perrot@spacecubics.com>
Core spec defines the range of adv intervals for extended advertising to
0x0020 to 0xFFFFFF, but the code currently only allows up to 0x4000.
This change enables the full range of intervals for extended advertising
Signed-off-by: Kyra Lengfeld <kyra.lengfeld@nordicsemi.no>
Remove the logic that silently clamps the MTU to valid ranges and
instead return an error if the configured MTU is below the minimum
required size.
The MTU is now always set to the maximum value that the configuration
can support, rather than conditionally using a default only when
set to 0.
Change log level from WRN to ERR for the minimum MTU check since
this now represents a fatal configuration error.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
ISO connections basically have 2 connection states:
1 for the `bt_iso_chan`, and one for the underlying
`bt_conn`. Due to how hci_disconn_complete_prio works,
these may be out of sync while disconnecting, and
bt_iso_chan_send could return 0 after we have received
a disconnect event from the controller. In this case
the number of pending SDUs in the host for the ISO
channel could be non-0, which could cause issues.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Make the Coordinated Set Size, Set Member Lock and Set Member Rank
characteristic optional by adding three new Kconfig options
BT_CSIP_SET_MEMBER_SIZE_SUPPORT, BT_CSIP_SET_MEMBER_LOCK_SUPPORT and
BT_CSIP_SET_MEMBER_RANK_SUPPORT. Also updates the existing examples
and tests to compile correctly.
Signed-off-by: Maximilian Zimmermann <gitmz@posteo.de>
Reorder some of the large and complex shell command
functions, to make each function simpler to follow.
This also makes the code pass the Sonarcloud complexity
rule.
This also contain a few other various fixes and updates.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Instead of defining the same arguments in all 3 CAP files,
we declare them in audio.h and initiate them in either
the initiator or commander, depending on their use.
The reason for this change, is that the CAP Handover API
require several of the parameter to be globally/statically
allocated, and cannot just rely on stack allocated parameters.
By doing this, we can use the same argument among the
CAP shell modules, while keeping the memory usage down.
This has the additional postive effect that we do not allocate
some of these arrays, which can be quite larger, on the stack.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Implement the shell command for handing over broadcast to
unicast. The command supports various configurations.
It is currently limited to cases with
- 1 connection and multiple streams
- Multiple connections and 1 stream
- Equal amount of streams and connections
Cases with e.g. 3 connections and 2 streams,
or vice versa, are not support given the complexity
of these cases.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
The two cached handles did not provide anything useful
and can be removed, thus freeing up some memory.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Instead of allocating a generic uuid and copying the BASS UUID
to it for each discovery, we can just use declare and use it
as a constant as it won't change.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Fix insufficient buffer length validation in bt_sdp_parse_attribute().
The original check only verified space for the type byte and attribute
ID, but did not account for the type variable itself that is read from
the buffer immediately after the check.
This could lead to a buffer over-read if the buffer contains exactly
sizeof(uint8_t) + sizeof(attr->id) bytes but not enough for the
additional type field.
Add sizeof(type) to the length check to ensure all required data is
present before parsing.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
Add checks to verify the valid length of broadcast names
in codec_cfg and codec_cap, both in terms of size in octets,
but also in terms of length in characters.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Add checks to verify the valid length of broadcast names
in codec_cfg and codec_cap, both in terms of size in octets,
but also in terms of length in characters.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
MISRA-C requires essentially boolean type in control flow.
Convert all if/while conditions using err or ret
as implicit booleans to explicit comparisons:
- if (err) -> if (err != 0)
- Same rules applied to while statements and ret variable
Assisted-by: GitHub Copilot
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Move the AVRCP cover art initialization from bt_avrcp_init() to
bt_avrcp_tg_register_cb(). This ensures that cover art is initialized
only when the target callback is registered, aligning with the
initialization flow of other AVRCP target features.
Additionally, add a check in bt_avrcp_tg_cover_art_init() to prevent
re-initialization if the PSM is already set, returning success if
cover art is already initialized.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
The bt_bap_unicast_client_discover and
bt_bap_broadcast_assistant_discover functions now require security
to have already been done before any operations are done.
The BAP require a specific security level and properties,
and checking the security earlier will prevent any unncessary
operations if the expected security requirement cannot be met.
Additionally, ensuring that there is an appropriate pairing with
the provided connection, ensures that we can rely on CONFIG_BT_MAX_PAIR
for soem arrays in the future.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Make the qos parameter of the BAP can CAP APIs const,
as they are now only used as one-time parameters, and not stored.
This also means that any uses of this can place the qos
parameter in the stack, rather than static memory.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
The pointer represent the qos configuration
for a stream based on the ASE or broadcast configuration,
and serves as a read-only value. Changing it to `const` makes
this more clear.
Some minor changes were done to existing code to help
support this change.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
In some cases the stream->qos pointer pointed to the
qos argument, and sometimes it pointed to the ep->qos.
Now all qos arguments are copied to ep->qos, and
stream->qos always points to stream->ep.qos.
Some modules had some refactoring done to properly store
the QoS. The unicast client had some additional checks
done or redone, and some now-unused code removed.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Standardize error handling for bt_conn_get_info()
across the Bluetooth shell.
- Use a local 'err' variable instead of inline calls
- Check for (err != 0) consistently
- Include error code in all error messages
- Improve log messages for better debugging context
This ensures consistent behavior and more
informative diagnostics when retrieving connection
information fails.
Signed-off-by: Gaetan Perrot <gaetan.perrot@spacecubics.com>
Use shell_error() instead of shell_print() when
bt_conn_get_info() fails and include the returned
error code in the log.
This makes failures easier to diagnose.
Signed-off-by: Gaetan Perrot <gaetan.perrot@spacecubics.com>
Coverity (CID 525133) reported that the return
value of bt_conn_get_info() was not checked in
disconnected(), which could lead to use of
uninitialized data.
Fix this by validating the return value before
using the connection info structure.
If retrieving the information fails, fall back to
using the generic connection type to preserve the
existing behavior.
This prevents undefined behavior while maintaining
the original logic.
Signed-off-by: Gaetan Perrot <gaetan.perrot@spacecubics.com>
Coverity (CID 333394) reported that the return
value of bt_conn_get_info() was not checked in
remote_info_available(), which could lead to use
of uninitialized data.
Fix this by checking the return value and aborting
early in case of error, ensuring that the
connection info structure is valid before use.
Signed-off-by: Gaetan Perrot <gaetan.perrot@spacecubics.com>
The scan parameter is in units of 10ms in the Zephyr API, however the same
value was being treated differently for active and passive scanning. For
passive scanning the value got passed to the timeout as 10ms units, however
with active scanning it was treated as seconds by passing it to the
K_SECONDS() macro. Fix this by treating it as 10ms units in both cases.
Signed-off-by: Johan Hedberg <johan.hedberg@silabs.com>
Convert the scan command parameters to use getopt. While we're at it, get
rid of the confusing "dups" "nodups" options which actually behaved in the
inverse to their names ("nodups" would give you duplicate results while
"dups" would not). The new parameter is called the same as in the Zephyr
API and HCI, namely --filter-dups.
Signed-off-by: Johan Hedberg <johan.hedberg@silabs.com>
Add support for specifying the exact advertising interval for the
"advertise" shell command. The new support is done with the help of
getopt, and since this is the first user of it in the Bluetooth shell the
appropriate select statement is added in Kconfig.
Signed-off-by: Johan Hedberg <johan.hedberg@silabs.com>
Add Message Access Profile (MAP) shell command support to the
Bluetooth shell module.
Add map.c to the CMakeLists.txt build configuration when
CONFIG_BT_MAP is enabled, allowing MAP shell commands to be
compiled into the shell module.
Enable MAP configuration options in the Bluetooth shell test
configuration, including both MCE (Messaging Client Equipment)
and MSE (Messaging Server Equipment) functionality.
This enables testing and demonstration of MAP profile features
through the Bluetooth shell interface.
Signed-off-by: Can Wang <can.wang@nxp.com>
Add source files and Kconfig options for Bluetooth Message Access
Profile (MAP) support.
MAP enables remote access to messages stored on a Messaging Server
Equipment (MSE) device from a Messaging Client Equipment (MCE) device.
The profile supports browsing folder hierarchies, listing messages,
retrieving message content, sending messages, and receiving event
notifications.
Add Kconfig options to enable MAP profile with separate options for
MCE and MSE functions.
Add logging configuration for MAP module.
Signed-off-by: Can Wang <can.wang@nxp.com>
Remove casting of the attr->user_data for short vendor value and
instead directly use the defined `vnd_value`.
Use the same defined max length for the long_vnd functions, instead
of the sizeof operator on one of the arrays.
Signed-off-by: Håvard Reierstad <haavard.reierstad@nordicsemi.no>
Add Phone Book Access Profile (PBAP) implementation for Bluetooth Classic,
supporting both Phone Book Client Equipment (PCE) and Phone Book Server
Equipment (PSE) roles.
PBAP enables remote access to phone book data stored on a device,
allowing clients to retrieve contact information, call history, and
other phonebook-related data.
Key features:
- PCE (client) and PSE (server) role support
- RFCOMM and L2CAP transport layer support
- Pull phone book, vCard listing, and vCard entry operations
- Set phone book navigation (up/down/root)
- Abort operation support
- OBEX authentication (challenge-response with MD5)
- Application parameters for filtering and formatting
- SDP service registration and discovery
- Single Response Mode (SRM) support for GOEP v2
- Configurable PSE features (download, browsing, database identifier,
folder version counters, vCard selector, enhanced missed calls, etc.)
- Configurable PSE repositories (local phonebook, SIM, speed dial,
favorites)
The implementation includes:
- Core PBAP protocol handling (subsys/bluetooth/host/classic/pbap.c)
- Public API header (include/zephyr/bluetooth/classic/pbap.h)
- Internal definitions (subsys/bluetooth/host/classic/pbap_internal.h)
- Shell commands for testing and demonstration
(subsys/bluetooth/host/classic/shell/pbap.c)
- Comprehensive shell documentation with usage examples
(doc/connectivity/bluetooth/shell/classic/pbap.rst)
- Kconfig options for feature and repository configuration
- Build system integration (CMakeLists.txt)
- Logging support
Authentication uses PSA Crypto API (MD5) for nonce generation and
response digest calculation.
Signed-off-by: Cheng Chang <cheng.chang@nxp.com>
There's no need for bt_dev.random_addr to be a bt_addr_le_t, since the type
is always implicitly random. Change it to bt_addr_t and make the necessary
updates to the host code as well as host unit tests.
Signed-off-by: Johan Hedberg <johan.hedberg@silabs.com>
Ifdef the AAR/CCM/ECB DMA related code based on the HAL macro which tells
if the new EVDMA is present in the device, instead of particular devices,
so we do not need to ifdef on several devices as new devices are added
Signed-off-by: Alberto Escolar Piedras <alberto.escolar.piedras@nordicsemi.no>
Re-add __ASSERT_NO_MSG in bt_uuid_to_uuid() for invalid UUID types.
This was removed in commit 9906fdb to work around a pre-existing ASCS
memcpy bug that has since been fixed.
Add return value checking for all snprintk() calls in bt_uuid_to_str()
per Zephyr coding guidelines. Since the function returns void and uuid.c
has no logging, __ASSERT_NO_MSG is used to catch encoding errors in
debug builds while preserving the existing silent-truncation behavior.
Follow-up from: https://github.com/zephyrproject-rtos/zephyr/pull/103817
Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
The valid_conn_cte_tx_params() function checked BT_DF_CTE_TYPE_AOD_1US
twice instead of checking both BT_DF_CTE_TYPE_AOD_1US and
BT_DF_CTE_TYPE_AOD_2US. This allowed AoD 2US to bypass the antenna
switch pattern validation in the host.
The controller also validates these parameters, so the impact is
limited to a missing defense-in-depth check in the host layer.
Signed-off-by: Andre Viegas <andreviegas@piscodeluz.org>
Assisted-by: Claude:claude-opus-4.6 ForgeQL
For a busy wait needed only for simulation we can use the Z_SPIN_DELAY
macro which is more compact and does nothing in real targets.
For the ecb test, we do not need to treat simulated HW differently than
real HW.
Signed-off-by: Alberto Escolar Piedras <alberto.escolar.piedras@nordicsemi.no>
When a client subscribes to Service Changed CCC before bonding
and privacy is enabled, the SC config is initially stored under
the peer's RPA. On reconnection with a new RPA, sc_restore()
looks up the config by identity address and fails to find it,
so the SC indication is never delivered.
Re-key the SC config entry from the RPA to the resolved identity
address in bt_gatt_identity_resolved(), matching the existing
re-keying logic for CCC and CF configs in the same callback.
If a separate entry already exists under the identity address,
merge the attribute handle ranges and remove the duplicate.
Signed-off-by: Håvard Reierstad <haavard.reierstad@nordicsemi.no>
Co-authored-by: Einar Thorsrud <einar.thorsrud@nordicsemi.no>
Adds an assert to the `update_range` function in gatt.c to verify
that the start handle is not larger than the end handle.
Signed-off-by: Håvard Reierstad <haavard.reierstad@nordicsemi.no>
Modify the behavior of update_recv_state_big_cleared to follow
what the current BASS test specification and PTS expects to pass
test cases related to bad broadcast codes. There are open
errata for this behavior to properly define it, but until then
we should follow what the qualification tests expect.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Add validation to ensure the indicator index is within the valid range
of the ind_table array before accessing it in cind_handle_values().
Without this check, an out-of-bounds index could lead to buffer overrun
when the index is used to access hf->ind_table array elements later in
the function.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
To ensure correctness and to avoid any race conditions,
atomic_test_and_set_bit should be use instead of a atomic_test_bit
followed by an atomic_set_bit.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
add_bonded_addr_to_client_list returned after adding the address of
`info->addr` once, which mean that only the first svc_inst got updated
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Before config flags were introduced to `bt_keys`, the `keys_set`
allowed loading previously stored keys after disabling support for
Bluetooth LE legacy pairing or signing during DFU (only beginning of the
settings record was used after the DFU).
Introducing version field prevents from loading keys in this scenario.
Settings records that contain extra data are not migrated to the new
format during the settings load operation and eventually are cleared.
Change allows to automatically migrate `bt_keys` stored with extra data
to the new format in the most common scenario where both legacy pairing
and signing support are disabled. This allows to still properly load and
use the keys.
Signed-off-by: Marek Pieta <Marek.Pieta@nordicsemi.no>
Improve error handling for L2CAP BR/EDR signaling buffer allocation
failures by introducing a fallback mechanism and proper cleanup paths.
Add l2cap_br_create_pdu() helper function that attempts to allocate
from the specified pool with a timeout, and falls back to the default
pool if allocation fails. This prevents system hangs when the BR/EDR
signaling buffer pool is exhausted.
Update all bt_l2cap_create_pdu() call sites to use the new helper with
appropriate timeouts (K_FOREVER for requests, specific timeouts for
responses). Add error handling to properly disconnect channels or clean
up resources when buffer allocation fails.
Introduce l2cap_br_chan_disconn() helper to centralize channel
disconnection logic, ensuring proper cleanup when disconnect requests
cannot be sent.
Change br_sig_pool user data size from hardcoded 8 bytes to
CONFIG_BT_CONN_TX_USER_DATA_SIZE for consistency with other buffer
pools.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
When an ISO channel is established, we now log all the
information we receive from the controller for that
specific channel.
This can be useful in debugging and determining certain
behaviors.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
