From nobody Mon May 6 15:18:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1542625893399181.8462381343072; Mon, 19 Nov 2018 03:11:33 -0800 (PST) Received: from localhost ([::1]:55321 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gOhSS-0002RS-7G for importer@patchew.org; Mon, 19 Nov 2018 06:11:12 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33727) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gOhRY-000268-6J for qemu-devel@nongnu.org; Mon, 19 Nov 2018 06:10:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gOhRV-0007fP-0b for qemu-devel@nongnu.org; Mon, 19 Nov 2018 06:10:16 -0500 Received: from mx1.redhat.com ([209.132.183.28]:55232) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gOhRU-0007eo-Oc for qemu-devel@nongnu.org; Mon, 19 Nov 2018 06:10:12 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 392F94E33B; Mon, 19 Nov 2018 11:10:11 +0000 (UTC) Received: from localhost.localdomain (ovpn-116-169.sin2.redhat.com [10.67.116.169]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3BCE3600CC; Mon, 19 Nov 2018 11:10:00 +0000 (UTC) From: P J P To: Qemu Developers Date: Mon, 19 Nov 2018 16:37:57 +0530 Message-Id: <20181119110757.2692-1-ppandit@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Mon, 19 Nov 2018 11:10:11 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH v2] bt: use size_t type for length parameters instead of int X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Peter Maydell , Thomas Huth , Prasad J Pandit , Arash TC , Paolo Bonzini , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Prasad J Pandit The length parameter values are not negative, thus use an unsigned type 'size_t' for them. Many routines pass 'len' values to memcpy(3) calls. If it was negative, it could lead to memory corruption issues. Add check to avoid it. Reported-by: Arash TC Signed-off-by: Prasad J Pandit Reviewed-by: Thomas Huth --- bt-host.c | 8 +++--- bt-vhci.c | 7 +++--- hw/bt/core.c | 2 +- hw/bt/hci-csr.c | 32 ++++++++++++------------ hw/bt/hci.c | 38 ++++++++++++++-------------- hw/bt/hid.c | 10 ++++---- hw/bt/l2cap.c | 56 ++++++++++++++++++++++-------------------- hw/bt/sdp.c | 6 ++--- hw/usb/dev-bluetooth.c | 12 ++++----- include/hw/bt.h | 8 +++--- include/sysemu/bt.h | 10 ++++---- 11 files changed, 96 insertions(+), 93 deletions(-) Update v2: modify assert calls -> https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg01036.html diff --git a/bt-host.c b/bt-host.c index 2f8f631c25..b73a44d07d 100644 --- a/bt-host.c +++ b/bt-host.c @@ -43,7 +43,7 @@ struct bt_host_hci_s { }; =20 static void bt_host_send(struct HCIInfo *hci, - int type, const uint8_t *data, int len) + int type, const uint8_t *data, size_t len) { struct bt_host_hci_s *s =3D (struct bt_host_hci_s *) hci; uint8_t pkt =3D type; @@ -63,17 +63,17 @@ static void bt_host_send(struct HCIInfo *hci, } } =20 -static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, int len) +static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, size_t l= en) { bt_host_send(hci, HCI_COMMAND_PKT, data, len); } =20 -static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, int len) +static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, size_t l= en) { bt_host_send(hci, HCI_ACLDATA_PKT, data, len); } =20 -static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, int len) +static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, size_t l= en) { bt_host_send(hci, HCI_SCODATA_PKT, data, len); } diff --git a/bt-vhci.c b/bt-vhci.c index 9d277c32bf..765773188d 100644 --- a/bt-vhci.c +++ b/bt-vhci.c @@ -90,7 +90,7 @@ static void vhci_read(void *opaque) } =20 static void vhci_host_send(void *opaque, - int type, const uint8_t *data, int len) + int type, const uint8_t *data, size_t len) { struct bt_vhci_s *s =3D (struct bt_vhci_s *) opaque; #if 0 @@ -113,6 +113,7 @@ static void vhci_host_send(void *opaque, static uint8_t buf[4096]; =20 buf[0] =3D type; + assert(len < sizeof(buf)); memcpy(buf + 1, data, len); =20 while (write(s->fd, buf, len + 1) < 0) @@ -125,13 +126,13 @@ static void vhci_host_send(void *opaque, } =20 static void vhci_out_hci_packet_event(void *opaque, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { vhci_host_send(opaque, HCI_EVENT_PKT, data, len); } =20 static void vhci_out_hci_packet_acl(void *opaque, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { vhci_host_send(opaque, HCI_ACLDATA_PKT, data, len); } diff --git a/hw/bt/core.c b/hw/bt/core.c index 78370e64f5..62720d1663 100644 --- a/hw/bt/core.c +++ b/hw/bt/core.c @@ -45,7 +45,7 @@ static void bt_dummy_lmp_disconnect_master(struct bt_link= _s *link) } =20 static void bt_dummy_lmp_acl_resp(struct bt_link_s *link, - const uint8_t *data, int start, int len) + const uint8_t *data, int start, size_t len) { error_report("%s: stray ACL response PDU, fixme", __func__); exit(-1); diff --git a/hw/bt/hci-csr.c b/hw/bt/hci-csr.c index 0341ded50c..26bd516d31 100644 --- a/hw/bt/hci-csr.c +++ b/hw/bt/hci-csr.c @@ -103,7 +103,7 @@ static inline void csrhci_fifo_wake(struct csrhci_s *s) } =20 #define csrhci_out_packetz(s, len) memset(csrhci_out_packet(s, len), 0, le= n) -static uint8_t *csrhci_out_packet(struct csrhci_s *s, int len) +static uint8_t *csrhci_out_packet(struct csrhci_s *s, size_t len) { int off =3D s->out_start + s->out_len; =20 @@ -112,14 +112,14 @@ static uint8_t *csrhci_out_packet(struct csrhci_s *s,= int len) =20 if (off < FIFO_LEN) { if (off + len > FIFO_LEN && (s->out_size =3D off + len) > FIFO_LEN= * 2) { - error_report("%s: can't alloc %i bytes", __func__, len); + error_report("%s: can't alloc %zu bytes", __func__, len); exit(-1); } return s->outfifo + off; } =20 if (s->out_len > s->out_size) { - error_report("%s: can't alloc %i bytes", __func__, len); + error_report("%s: can't alloc %zu bytes", __func__, len); exit(-1); } =20 @@ -127,7 +127,7 @@ static uint8_t *csrhci_out_packet(struct csrhci_s *s, i= nt len) } =20 static inline uint8_t *csrhci_out_packet_csr(struct csrhci_s *s, - int type, int len) + int type, size_t len) { uint8_t *ret =3D csrhci_out_packetz(s, len + 2); =20 @@ -138,7 +138,7 @@ static inline uint8_t *csrhci_out_packet_csr(struct csr= hci_s *s, } =20 static inline uint8_t *csrhci_out_packet_event(struct csrhci_s *s, - int evt, int len) + int evt, size_t len) { uint8_t *ret =3D csrhci_out_packetz(s, len + 1 + sizeof(struct hci_event_hdr)); @@ -151,7 +151,7 @@ static inline uint8_t *csrhci_out_packet_event(struct c= srhci_s *s, } =20 static void csrhci_in_packet_vendor(struct csrhci_s *s, int ocf, - uint8_t *data, int len) + uint8_t *data, size_t len) { int offset; uint8_t *rpkt; @@ -320,18 +320,18 @@ static int csrhci_write(struct Chardev *chr, struct csrhci_s *s =3D (struct csrhci_s *)chr; int total =3D 0; =20 - if (!s->enable) + if (!s->enable || len <=3D 0) return 0; =20 for (;;) { int cnt =3D MIN(len, s->in_needed - s->in_len); - if (cnt) { - memcpy(s->inpkt + s->in_len, buf, cnt); - s->in_len +=3D cnt; - buf +=3D cnt; - len -=3D cnt; - total +=3D cnt; - } + assert(cnt > 0); + + memcpy(s->inpkt + s->in_len, buf, cnt); + s->in_len +=3D cnt; + buf +=3D cnt; + len -=3D cnt; + total +=3D cnt; =20 if (s->in_len < s->in_needed) { break; @@ -363,7 +363,7 @@ static int csrhci_write(struct Chardev *chr, } =20 static void csrhci_out_hci_packet_event(void *opaque, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { struct csrhci_s *s =3D (struct csrhci_s *) opaque; uint8_t *pkt =3D csrhci_out_packet(s, (len + 2) & ~1); /* Align */ @@ -375,7 +375,7 @@ static void csrhci_out_hci_packet_event(void *opaque, } =20 static void csrhci_out_hci_packet_acl(void *opaque, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { struct csrhci_s *s =3D (struct csrhci_s *) opaque; uint8_t *pkt =3D csrhci_out_packet(s, (len + 2) & ~1); /* Align */ diff --git a/hw/bt/hci.c b/hw/bt/hci.c index c6b2cc1d48..c59ccc55b9 100644 --- a/hw/bt/hci.c +++ b/hw/bt/hci.c @@ -32,7 +32,7 @@ =20 struct bt_hci_s { uint8_t *(*evt_packet)(void *opaque); - void (*evt_submit)(void *opaque, int len); + void (*evt_submit)(void *opaque, size_t len); void *opaque; uint8_t evt_buf[256]; =20 @@ -62,7 +62,7 @@ struct bt_hci_s { struct bt_hci_master_link_s { struct bt_link_s *link; void (*lmp_acl_data)(struct bt_link_s *link, - const uint8_t *data, int start, int len); + const uint8_t *data, int start, size_t len); QEMUTimer *acl_mode_timer; } handle[HCI_HANDLES_MAX]; uint32_t role_bmp; @@ -434,7 +434,7 @@ static const uint8_t bt_event_reserved_mask[8] =3D { }; =20 =20 -static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, int le= n) +static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, size_t= len) { } =20 @@ -452,13 +452,13 @@ struct HCIInfo null_hci =3D { =20 =20 static inline uint8_t *bt_hci_event_start(struct bt_hci_s *hci, - int evt, int len) + int evt, size_t len) { uint8_t *packet, mask; int mask_byte; =20 if (len > 255) { - error_report("%s: HCI event params too long (%ib)", __func__, len); + error_report("%s: HCI event params too long (%zub)", __func__, len= ); exit(-1); } =20 @@ -475,7 +475,7 @@ static inline uint8_t *bt_hci_event_start(struct bt_hci= _s *hci, } =20 static inline void bt_hci_event(struct bt_hci_s *hci, int evt, - void *params, int len) + void *params, size_t len) { uint8_t *packet =3D bt_hci_event_start(hci, evt, len); =20 @@ -500,7 +500,7 @@ static inline void bt_hci_event_status(struct bt_hci_s = *hci, int status) } =20 static inline void bt_hci_event_complete(struct bt_hci_s *hci, - void *ret, int len) + void *ret, size_t len) { uint8_t *packet =3D bt_hci_event_start(hci, EVT_CMD_COMPLETE, len + EVT_CMD_COMPLETE_SIZE); @@ -1477,7 +1477,7 @@ static inline void bt_hci_event_num_comp_pkts(struct = bt_hci_s *hci, } =20 static void bt_submit_hci(struct HCIInfo *info, - const uint8_t *data, int length) + const uint8_t *data, size_t length) { struct bt_hci_s *hci =3D hci_from_info(info); uint16_t cmd; @@ -1971,7 +1971,7 @@ static void bt_submit_hci(struct HCIInfo *info, break; =20 short_hci: - error_report("%s: HCI packet too short (%iB)", __func__, length); + error_report("%s: HCI packet too short (%zuB)", __func__, length); bt_hci_event_status(hci, HCI_INVALID_PARAMETERS); break; } @@ -1982,7 +1982,7 @@ static void bt_submit_hci(struct HCIInfo *info, * know that a packet contained the last fragment of the SDU when the next * SDU starts. */ static inline void bt_hci_lmp_acl_data(struct bt_hci_s *hci, uint16_t hand= le, - const uint8_t *data, int start, int len) + const uint8_t *data, int start, size_t len) { struct hci_acl_hdr *pkt =3D (void *) hci->acl_buf; =20 @@ -1990,7 +1990,7 @@ static inline void bt_hci_lmp_acl_data(struct bt_hci_= s *hci, uint16_t handle, /* TODO: avoid memcpy'ing */ =20 if (len + HCI_ACL_HDR_SIZE > sizeof(hci->acl_buf)) { - error_report("%s: can't take ACL packets %i bytes long", + error_report("%s: can't take ACL packets %zu bytes long", __func__, len); return; } @@ -2004,7 +2004,7 @@ static inline void bt_hci_lmp_acl_data(struct bt_hci_= s *hci, uint16_t handle, } =20 static void bt_hci_lmp_acl_data_slave(struct bt_link_s *btlink, - const uint8_t *data, int start, int len) + const uint8_t *data, int start, size_t len) { struct bt_hci_link_s *link =3D (struct bt_hci_link_s *) btlink; =20 @@ -2013,14 +2013,14 @@ static void bt_hci_lmp_acl_data_slave(struct bt_lin= k_s *btlink, } =20 static void bt_hci_lmp_acl_data_host(struct bt_link_s *link, - const uint8_t *data, int start, int len) + const uint8_t *data, int start, size_t len) { bt_hci_lmp_acl_data(hci_from_device(link->host), link->handle, data, start, len); } =20 static void bt_submit_acl(struct HCIInfo *info, - const uint8_t *data, int length) + const uint8_t *data, size_t length) { struct bt_hci_s *hci =3D hci_from_info(info); uint16_t handle; @@ -2028,7 +2028,7 @@ static void bt_submit_acl(struct HCIInfo *info, struct bt_link_s *link; =20 if (length < HCI_ACL_HDR_SIZE) { - error_report("%s: ACL packet too short (%iB)", __func__, length); + error_report("%s: ACL packet too short (%zuB)", __func__, length); return; } =20 @@ -2046,7 +2046,7 @@ static void bt_submit_acl(struct HCIInfo *info, handle &=3D ~HCI_HANDLE_OFFSET; =20 if (datalen > length) { - error_report("%s: ACL packet too short (%iB < %iB)", + error_report("%s: ACL packet too short (%zuB < %iB)", __func__, length, datalen); return; } @@ -2088,7 +2088,7 @@ static void bt_submit_acl(struct HCIInfo *info, } =20 static void bt_submit_sco(struct HCIInfo *info, - const uint8_t *data, int length) + const uint8_t *data, size_t length) { struct bt_hci_s *hci =3D hci_from_info(info); uint16_t handle; @@ -2107,7 +2107,7 @@ static void bt_submit_sco(struct HCIInfo *info, } =20 if (datalen > length) { - error_report("%s: SCO packet too short (%iB < %iB)", + error_report("%s: SCO packet too short (%zuB < %iB)", __func__, length, datalen); return; } @@ -2128,7 +2128,7 @@ static uint8_t *bt_hci_evt_packet(void *opaque) return s->evt_buf; } =20 -static void bt_hci_evt_submit(void *opaque, int len) +static void bt_hci_evt_submit(void *opaque, size_t len) { /* TODO: notify upper layer */ struct bt_hci_s *s =3D opaque; diff --git a/hw/bt/hid.c b/hw/bt/hid.c index 056291f9b5..c5ecc8bdcd 100644 --- a/hw/bt/hid.c +++ b/hw/bt/hid.c @@ -96,7 +96,7 @@ struct bt_hid_device_s { int data_type; int intr_state; struct { - int len; + size_t len; uint8_t buffer[1024]; } dataother, datain, dataout, feature, intrdataout; enum { @@ -169,7 +169,7 @@ static void bt_hid_disconnect(struct bt_hid_device_s *s) } =20 static void bt_hid_send_data(struct bt_l2cap_conn_params_s *ch, int type, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { uint8_t *pkt, hdr =3D (BT_DATA << 4) | type; int plen; @@ -190,7 +190,7 @@ static void bt_hid_send_data(struct bt_l2cap_conn_param= s_s *ch, int type, } =20 static void bt_hid_control_transaction(struct bt_hid_device_s *s, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { uint8_t type, parameter; int rlen, ret =3D -1; @@ -362,7 +362,7 @@ static void bt_hid_control_transaction(struct bt_hid_de= vice_s *s, bt_hid_send_handshake(s, ret); } =20 -static void bt_hid_control_sdu(void *opaque, const uint8_t *data, int len) +static void bt_hid_control_sdu(void *opaque, const uint8_t *data, size_t l= en) { struct bt_hid_device_s *hid =3D opaque; =20 @@ -388,7 +388,7 @@ static void bt_hid_datain(HIDState *hs) hid->datain.buffer, hid->datain.len); } =20 -static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, int le= n) +static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, size_t= len) { struct bt_hid_device_s *hid =3D opaque; =20 diff --git a/hw/bt/l2cap.c b/hw/bt/l2cap.c index 9cf27f0df6..efd9a4b66a 100644 --- a/hw/bt/l2cap.c +++ b/hw/bt/l2cap.c @@ -32,10 +32,10 @@ struct l2cap_instance_s { int role; =20 uint8_t frame_in[65535 + L2CAP_HDR_SIZE] __attribute__ ((aligned (4))); - int frame_in_len; + uint32_t frame_in_len; =20 uint8_t frame_out[65535 + L2CAP_HDR_SIZE] __attribute__ ((aligned (4))= ); - int frame_out_len; + uint32_t frame_out_len; =20 /* Signalling channel timers. They exist per-request but we can make * sure we have no more than one outstanding request at any time. */ @@ -49,7 +49,7 @@ struct l2cap_instance_s { struct bt_l2cap_conn_params_s params; =20 void (*frame_in)(struct l2cap_chan_s *chan, uint16_t cid, - const l2cap_hdr *hdr, int len); + const l2cap_hdr *hdr, size_t len); int mps; int min_mtu; =20 @@ -68,7 +68,7 @@ struct l2cap_instance_s { =20 /* Only flow-controlled, connection-oriented channels */ uint8_t sdu[65536]; /* TODO: dynamically allocate */ - int len_cur, len_total; + uint32_t len_cur, len_total; int rexmit; int monitor_timeout; QEMUTimer *monitor_timer; @@ -140,7 +140,7 @@ static const uint16_t l2cap_fcs16_table[256] =3D { 0x8201, 0x42c0, 0x4380, 0x8341, 0x4100, 0x81c1, 0x8081, 0x4040, }; =20 -static uint16_t l2cap_fcs16(const uint8_t *message, int len) +static uint16_t l2cap_fcs16(const uint8_t *message, size_t len) { uint16_t fcs =3D 0x0000; =20 @@ -186,7 +186,7 @@ static void l2cap_monitor_timer_update(struct l2cap_cha= n_s *ch) } =20 static void l2cap_command_reject(struct l2cap_instance_s *l2cap, int id, - uint16_t reason, const void *data, int plen) + uint16_t reason, const void *data, size_t plen) { uint8_t *pkt; l2cap_cmd_hdr *hdr; @@ -247,7 +247,7 @@ static void l2cap_connection_response(struct l2cap_inst= ance_s *l2cap, } =20 static void l2cap_configuration_request(struct l2cap_instance_s *l2cap, - int dcid, int flag, const uint8_t *data, int len) + int dcid, int flag, const uint8_t *data, size_t len) { uint8_t *pkt; l2cap_cmd_hdr *hdr; @@ -275,7 +275,7 @@ static void l2cap_configuration_request(struct l2cap_in= stance_s *l2cap, } =20 static void l2cap_configuration_response(struct l2cap_instance_s *l2cap, - int scid, int flag, int result, const uint8_t *data, int l= en) + int scid, int flag, int result, const uint8_t *data, size_= t len) { uint8_t *pkt; l2cap_cmd_hdr *hdr; @@ -322,7 +322,7 @@ static void l2cap_disconnection_response(struct l2cap_i= nstance_s *l2cap, } =20 static void l2cap_echo_response(struct l2cap_instance_s *l2cap, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { uint8_t *pkt; l2cap_cmd_hdr *hdr; @@ -343,7 +343,7 @@ static void l2cap_echo_response(struct l2cap_instance_s= *l2cap, } =20 static void l2cap_info_response(struct l2cap_instance_s *l2cap, int type, - int result, const uint8_t *data, int len) + int result, const uint8_t *data, size_t len) { uint8_t *pkt; l2cap_cmd_hdr *hdr; @@ -366,16 +366,18 @@ static void l2cap_info_response(struct l2cap_instance= _s *l2cap, int type, l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params); } =20 -static uint8_t *l2cap_bframe_out(struct bt_l2cap_conn_params_s *parm, int = len); +static uint8_t *l2cap_bframe_out(struct bt_l2cap_conn_params_s *parm, + size_t len); static void l2cap_bframe_submit(struct bt_l2cap_conn_params_s *parms); #if 0 -static uint8_t *l2cap_iframe_out(struct bt_l2cap_conn_params_s *parm, int = len); +static uint8_t *l2cap_iframe_out(struct bt_l2cap_conn_params_s *parm, + size_t len); static void l2cap_iframe_submit(struct bt_l2cap_conn_params_s *parm); #endif static void l2cap_bframe_in(struct l2cap_chan_s *ch, uint16_t cid, - const l2cap_hdr *hdr, int len); + const l2cap_hdr *hdr, size_t len); static void l2cap_iframe_in(struct l2cap_chan_s *ch, uint16_t cid, - const l2cap_hdr *hdr, int len); + const l2cap_hdr *hdr, size_t len); =20 static int l2cap_cid_new(struct l2cap_instance_s *l2cap) { @@ -499,7 +501,7 @@ static void l2cap_channel_config_req_event(struct l2cap= _instance_s *l2cap, =20 static int l2cap_channel_config(struct l2cap_instance_s *l2cap, struct l2cap_chan_s *ch, int flag, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { l2cap_conf_opt *opt; l2cap_conf_opt_qos *qos; @@ -684,7 +686,7 @@ static int l2cap_channel_config(struct l2cap_instance_s= *l2cap, } =20 static void l2cap_channel_config_req_msg(struct l2cap_instance_s *l2cap, - int flag, int cid, const uint8_t *data, int len) + int flag, int cid, const uint8_t *data, size_t len) { struct l2cap_chan_s *ch; =20 @@ -716,7 +718,7 @@ static void l2cap_channel_config_req_msg(struct l2cap_i= nstance_s *l2cap, } =20 static int l2cap_channel_config_rsp_msg(struct l2cap_instance_s *l2cap, - int result, int flag, int cid, const uint8_t *data, int le= n) + int result, int flag, int cid, const uint8_t *data, size_t= len) { struct l2cap_chan_s *ch; =20 @@ -784,7 +786,7 @@ static void l2cap_info(struct l2cap_instance_s *l2cap, = int type) } =20 static void l2cap_command(struct l2cap_instance_s *l2cap, int code, int id, - const uint8_t *params, int len) + const uint8_t *params, size_t len) { int err; =20 @@ -939,7 +941,7 @@ static void l2cap_rexmit_enable(struct l2cap_chan_s *ch= , int enable) } =20 /* Command frame SDU */ -static void l2cap_cframe_in(void *opaque, const uint8_t *data, int len) +static void l2cap_cframe_in(void *opaque, const uint8_t *data, size_t len) { struct l2cap_instance_s *l2cap =3D opaque; const l2cap_cmd_hdr *hdr; @@ -967,7 +969,7 @@ static void l2cap_cframe_in(void *opaque, const uint8_t= *data, int len) } =20 /* Group frame SDU */ -static void l2cap_gframe_in(void *opaque, const uint8_t *data, int len) +static void l2cap_gframe_in(void *opaque, const uint8_t *data, size_t len) { } =20 @@ -978,7 +980,7 @@ static void l2cap_sframe_in(struct l2cap_chan_s *ch, ui= nt16_t ctrl) =20 /* Basic L2CAP mode Information frame */ static void l2cap_bframe_in(struct l2cap_chan_s *ch, uint16_t cid, - const l2cap_hdr *hdr, int len) + const l2cap_hdr *hdr, size_t len) { /* We have a full SDU, no further processing */ ch->params.sdu_in(ch->params.opaque, hdr->data, len); @@ -986,7 +988,7 @@ static void l2cap_bframe_in(struct l2cap_chan_s *ch, ui= nt16_t cid, =20 /* Flow Control and Retransmission mode frame */ static void l2cap_iframe_in(struct l2cap_chan_s *ch, uint16_t cid, - const l2cap_hdr *hdr, int len) + const l2cap_hdr *hdr, size_t len) { uint16_t fcs =3D lduw_le_p(hdr->data + len - 2); =20 @@ -1077,7 +1079,7 @@ static void l2cap_frame_in(struct l2cap_instance_s *l= 2cap, =20 /* "Recombination" */ static void l2cap_pdu_in(struct l2cap_instance_s *l2cap, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { const l2cap_hdr *hdr =3D (void *) l2cap->frame_in; =20 @@ -1124,7 +1126,7 @@ static inline void l2cap_pdu_submit(struct l2cap_inst= ance_s *l2cap) (l2cap->link, l2cap->frame_out, 1, l2cap->frame_out_len); } =20 -static uint8_t *l2cap_bframe_out(struct bt_l2cap_conn_params_s *parm, int = len) +static uint8_t *l2cap_bframe_out(struct bt_l2cap_conn_params_s *parm, size= _t len) { struct l2cap_chan_s *chan =3D (struct l2cap_chan_s *) parm; =20 @@ -1147,7 +1149,7 @@ static void l2cap_bframe_submit(struct bt_l2cap_conn_= params_s *parms) =20 #if 0 /* Stub: Only used if an emulated device requests outgoing flow control */ -static uint8_t *l2cap_iframe_out(struct bt_l2cap_conn_params_s *parm, int = len) +static uint8_t *l2cap_iframe_out(struct bt_l2cap_conn_params_s *parm, size= _t len) { struct l2cap_chan_s *chan =3D (struct l2cap_chan_s *) parm; =20 @@ -1292,7 +1294,7 @@ static void l2cap_lmp_disconnect_slave(struct bt_link= _s *link) } =20 static void l2cap_lmp_acl_data_slave(struct bt_link_s *link, - const uint8_t *data, int start, int len) + const uint8_t *data, int start, size_t len) { struct slave_l2cap_instance_s *l2cap =3D (struct slave_l2cap_instance_s *) link; @@ -1305,7 +1307,7 @@ static void l2cap_lmp_acl_data_slave(struct bt_link_s= *link, =20 /* Stub */ static void l2cap_lmp_acl_data_host(struct bt_link_s *link, - const uint8_t *data, int start, int len) + const uint8_t *data, int start, size_t len) { struct bt_l2cap_device_s *dev =3D (struct bt_l2cap_device_s *) link->h= ost; struct l2cap_instance_s *l2cap =3D diff --git a/hw/bt/sdp.c b/hw/bt/sdp.c index f4aba9d74f..163d315874 100644 --- a/hw/bt/sdp.c +++ b/hw/bt/sdp.c @@ -497,7 +497,7 @@ static ssize_t sdp_svc_search_attr_get(struct bt_l2cap_= sdp_state_s *sdp, return end + 2; } =20 -static void bt_l2cap_sdp_sdu_in(void *opaque, const uint8_t *data, int len) +static void bt_l2cap_sdp_sdu_in(void *opaque, const uint8_t *data, size_t = len) { struct bt_l2cap_sdp_state_s *sdp =3D opaque; enum bt_sdp_cmd pdu_id; @@ -507,7 +507,7 @@ static void bt_l2cap_sdp_sdu_in(void *opaque, const uin= t8_t *data, int len) int rsp_len =3D 0; =20 if (len < 5) { - error_report("%s: short SDP PDU (%iB).", __func__, len); + error_report("%s: short SDP PDU (%zuB).", __func__, len); return; } =20 @@ -518,7 +518,7 @@ static void bt_l2cap_sdp_sdu_in(void *opaque, const uin= t8_t *data, int len) len -=3D 5; =20 if (len !=3D plen) { - error_report("%s: wrong SDP PDU length (%iB !=3D %iB).", + error_report("%s: wrong SDP PDU length (%iB !=3D %zuB).", __func__, plen, len); err =3D SDP_INVALID_PDU_SIZE; goto respond; diff --git a/hw/usb/dev-bluetooth.c b/hw/usb/dev-bluetooth.c index eac7365b0a..cf46ba06c6 100644 --- a/hw/usb/dev-bluetooth.c +++ b/hw/usb/dev-bluetooth.c @@ -265,7 +265,7 @@ static void usb_bt_fifo_reset(struct usb_hci_in_fifo_s = *fifo) } =20 static void usb_bt_fifo_enqueue(struct usb_hci_in_fifo_s *fifo, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { int off =3D fifo->dstart + fifo->dlen; uint8_t *buf; @@ -274,13 +274,13 @@ static void usb_bt_fifo_enqueue(struct usb_hci_in_fif= o_s *fifo, if (off <=3D DFIFO_LEN_MASK) { if (off + len > DFIFO_LEN_MASK + 1 && (fifo->dsize =3D off + len) > (DFIFO_LEN_MASK + 1)= * 2) { - fprintf(stderr, "%s: can't alloc %i bytes\n", __func__, len); + fprintf(stderr, "%s: can't alloc %zu bytes\n", __func__, len); exit(-1); } buf =3D fifo->data + off; } else { if (fifo->dlen > fifo->dsize) { - fprintf(stderr, "%s: can't alloc %i bytes\n", __func__, len); + fprintf(stderr, "%s: can't alloc %zu bytes\n", __func__, len); exit(-1); } buf =3D fifo->data + off - fifo->dsize; @@ -319,7 +319,7 @@ static inline void usb_bt_fifo_dequeue(struct usb_hci_i= n_fifo_s *fifo, =20 static inline void usb_bt_fifo_out_enqueue(struct USBBtState *s, struct usb_hci_out_fifo_s *fifo, - void (*send)(struct HCIInfo *, const uint8_t *, int), + void (*send)(struct HCIInfo *, const uint8_t *, size_t), int (*complete)(const uint8_t *, int), USBPacket *p) { @@ -478,7 +478,7 @@ static void usb_bt_handle_data(USBDevice *dev, USBPacke= t *p) } =20 static void usb_bt_out_hci_packet_event(void *opaque, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { struct USBBtState *s =3D (struct USBBtState *) opaque; =20 @@ -489,7 +489,7 @@ static void usb_bt_out_hci_packet_event(void *opaque, } =20 static void usb_bt_out_hci_packet_acl(void *opaque, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { struct USBBtState *s =3D (struct USBBtState *) opaque; =20 diff --git a/include/hw/bt.h b/include/hw/bt.h index b5e11d4d43..bc362aa662 100644 --- a/include/hw/bt.h +++ b/include/hw/bt.h @@ -94,9 +94,9 @@ struct bt_device_s { void (*lmp_disconnect_master)(struct bt_link_s *link); void (*lmp_disconnect_slave)(struct bt_link_s *link); void (*lmp_acl_data)(struct bt_link_s *link, const uint8_t *data, - int start, int len); + int start, size_t len); void (*lmp_acl_resp)(struct bt_link_s *link, const uint8_t *data, - int start, int len); + int start, size_t len); void (*lmp_mode_change)(struct bt_link_s *link); =20 void (*handle_destroy)(struct bt_device_s *device); @@ -148,12 +148,12 @@ struct bt_l2cap_device_s { =20 struct bt_l2cap_conn_params_s { /* Input */ - uint8_t *(*sdu_out)(struct bt_l2cap_conn_params_s *chan, int len); + uint8_t *(*sdu_out)(struct bt_l2cap_conn_params_s *chan, size_t len); void (*sdu_submit)(struct bt_l2cap_conn_params_s *chan); int remote_mtu; /* Output */ void *opaque; - void (*sdu_in)(void *opaque, const uint8_t *data, int len); + void (*sdu_in)(void *opaque, const uint8_t *data, size_t len); void (*close)(void *opaque); }; =20 diff --git a/include/sysemu/bt.h b/include/sysemu/bt.h index ddb05cd109..db935c695d 100644 --- a/include/sysemu/bt.h +++ b/include/sysemu/bt.h @@ -5,12 +5,12 @@ =20 struct HCIInfo { int (*bdaddr_set)(struct HCIInfo *hci, const uint8_t *bd_addr); - void (*cmd_send)(struct HCIInfo *hci, const uint8_t *data, int len); - void (*sco_send)(struct HCIInfo *hci, const uint8_t *data, int len); - void (*acl_send)(struct HCIInfo *hci, const uint8_t *data, int len); + void (*cmd_send)(struct HCIInfo *hci, const uint8_t *data, size_t len); + void (*sco_send)(struct HCIInfo *hci, const uint8_t *data, size_t len); + void (*acl_send)(struct HCIInfo *hci, const uint8_t *data, size_t len); void *opaque; - void (*evt_recv)(void *opaque, const uint8_t *data, int len); - void (*acl_recv)(void *opaque, const uint8_t *data, int len); + void (*evt_recv)(void *opaque, const uint8_t *data, size_t len); + void (*acl_recv)(void *opaque, const uint8_t *data, size_t len); }; =20 /* bt-host.c */ --=20 2.17.2