diff --git a/.bluez.metadata b/.bluez.metadata
index ef5e331..714af10 100644
--- a/.bluez.metadata
+++ b/.bluez.metadata
@@ -1 +1 @@
-a862b9ddc039f34f7135bbee3c3e80040e82e046 SOURCES/bluez-5.56.tar.xz
+4d8fb1328e15df4021329d3eb6329b64777badaa SOURCES/bluez-5.64.tar.xz
diff --git a/.gitignore b/.gitignore
index f035c34..0a9b7df 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/bluez-5.56.tar.xz
+SOURCES/bluez-5.64.tar.xz
diff --git a/SOURCES/0001-build-Always-define-confdir-and-statedir.patch b/SOURCES/0001-build-Always-define-confdir-and-statedir.patch
deleted file mode 100644
index 35f64e4..0000000
--- a/SOURCES/0001-build-Always-define-confdir-and-statedir.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 5744f79d84ecee3929a682166034c5bbc36c0ef5 Mon Sep 17 00:00:00 2001
-From: Bastien Nocera <hadess@hadess.net>
-Date: Wed, 20 Sep 2017 12:49:10 +0200
-Subject: [PATCH 1/4] build: Always define confdir and statedir
-
-As we will need those paths to lock down on them.
----
- Makefile.am | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index 9d25a815b..ac88c12e0 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -31,14 +31,14 @@ pkginclude_HEADERS =
- AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags)
- AM_LDFLAGS = $(MISC_LDFLAGS)
-
-+confdir = $(sysconfdir)/bluetooth
-+statedir = $(localstatedir)/lib/bluetooth
-+
- if DATAFILES
- dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
- dbus_DATA = src/bluetooth.conf
-
--confdir = $(sysconfdir)/bluetooth
- conf_DATA =
--
--statedir = $(localstatedir)/lib/bluetooth
- state_DATA =
- endif
-
---
-2.21.0
-
diff --git a/SOURCES/0001-client-gatt-Fix-memory-leak-issues.patch b/SOURCES/0001-client-gatt-Fix-memory-leak-issues.patch
new file mode 100644
index 0000000..2b95f56
--- /dev/null
+++ b/SOURCES/0001-client-gatt-Fix-memory-leak-issues.patch
@@ -0,0 +1,66 @@
+From b4233bca181580800b483a228ca5377efcfeb844 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:05 +0530
+Subject: [PATCH BlueZ 01/12] client/gatt: Fix memory leak issues
+
+While performing the static tool analysis using coverity tool
+found following reports
+
+Error: RESOURCE_LEAK (CWE-772):
+bluez-5.64/client/gatt.c:1531: leaked_storage: Variable "service"
+going out of scope leaks the storage it points to.
+
+Error: RESOURCE_LEAK (CWE-772):
+bluez-5.64/client/gatt.c:2626: leaked_storage: Variable "chrc"
+going out of scope leaks the storage it points to.
+
+Error: RESOURCE_LEAK (CWE-772):
+bluez-5.64/client/gatt.c:2906: leaked_storage: Variable "desc"
+going out of scope leaks the storage it points to.
+---
+ client/gatt.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/client/gatt.c b/client/gatt.c
+index 13872c794..4c1efaf75 100644
+--- a/client/gatt.c
++++ b/client/gatt.c
+@@ -1527,8 +1527,10 @@ void gatt_register_service(DBusConnection *conn, GDBusProxy *proxy,
+
+ if (argc > 2) {
+ service->handle = parse_handle(argv[2]);
+- if (!service->handle)
++ if (!service->handle) {
++ service_free(service);
+ return bt_shell_noninteractive_quit(EXIT_FAILURE);
++ }
+ }
+
+ if (g_dbus_register_interface(conn, service->path,
+@@ -2622,8 +2624,10 @@ void gatt_register_chrc(DBusConnection *conn, GDBusProxy *proxy,
+
+ if (argc > 3) {
+ chrc->handle = parse_handle(argv[3]);
+- if (!chrc->handle)
++ if (!chrc->handle) {
++ chrc_free(chrc);
+ return bt_shell_noninteractive_quit(EXIT_FAILURE);
++ }
+ }
+
+ if (g_dbus_register_interface(conn, chrc->path, CHRC_INTERFACE,
+@@ -2902,8 +2906,10 @@ void gatt_register_desc(DBusConnection *conn, GDBusProxy *proxy,
+
+ if (argc > 3) {
+ desc->handle = parse_handle(argv[3]);
+- if (!desc->handle)
++ if (!desc->handle) {
++ desc_free(desc);
+ return bt_shell_noninteractive_quit(EXIT_FAILURE);
++ }
+ }
+
+ if (g_dbus_register_interface(conn, desc->path, DESC_INTERFACE,
+--
+2.26.2
+
diff --git a/SOURCES/0001-gatt-Fix-double-free-and-freed-memory-dereference.patch b/SOURCES/0001-gatt-Fix-double-free-and-freed-memory-dereference.patch
new file mode 100644
index 0000000..555b77a
--- /dev/null
+++ b/SOURCES/0001-gatt-Fix-double-free-and-freed-memory-dereference.patch
@@ -0,0 +1,41 @@
+From f853012bc0142ab6056f3d9ef4abf621b1e8a756 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 24 May 2022 16:45:56 +0530
+Subject: [PATCH BlueZ] gatt: Fix double free and freed memory dereference
+
+commit 3627eddea13042ffc0848ae37356f30335ce2e4b
+Author: Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
+Date: Fri Apr 1 15:16:47 2022 +0300
+
+ gatt: Fix double free and freed memory dereference
+
+ If device is no longer exists or not paired when notifications send it
+ is possible to get double free and dereference of already freed memory.
+
+ To avoid this we need to recheck the state of device after sending
+ notification.
+
+ Found by Linux Verification Center (linuxtesting.org) with the SVACE
+ static analysis tool.
+---
+ src/gatt-database.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/gatt-database.c b/src/gatt-database.c
+index d6c94058c..d32f616a9 100644
+--- a/src/gatt-database.c
++++ b/src/gatt-database.c
+@@ -3877,6 +3877,10 @@ void btd_gatt_database_server_connected(struct btd_gatt_database *database,
+
+ send_notification_to_device(state, state->pending);
+
++ state = find_device_state(database, &bdaddr, bdaddr_type);
++ if (!state || !state->pending)
++ return;
++
+ free(state->pending->value);
+ free(state->pending);
+ state->pending = NULL;
+--
+2.26.2
+
diff --git a/SOURCES/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch b/SOURCES/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch
deleted file mode 100644
index 11ce041..0000000
--- a/SOURCES/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch
+++ /dev/null
@@ -1,468 +0,0 @@
-From 4e6a2402ed4f46ea026ad0929fbc14faecf3a475 Mon Sep 17 00:00:00 2001
-From: Gopal Tiwari <gtiwari@redhat.com>
-Date: Wed, 1 Dec 2021 12:18:24 +0530
-Subject: [PATCH BlueZ] sdpd: Fix leaking buffers stored in cstates cache
-
-commit e79417ed7185b150a056d4eb3a1ab528b91d2fc0
-Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Date: Thu Jul 15 11:01:20 2021 -0700
-
- sdpd: Fix leaking buffers stored in cstates cache
-
- These buffer shall only be keep in cache for as long as they are
- needed so this would cleanup any client cstates in the following
- conditions:
-
- - There is no cstate on the response
- - No continuation can be found for cstate
- - Different request opcode
- - Respond with an error
- - Client disconnect
-
- Fixes: https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq
----
- src/sdpd-request.c | 170 ++++++++++++++++++++++++++++++++-------------
- src/sdpd-server.c | 20 +++---
- src/sdpd.h | 3 +
- unit/test-sdp.c | 2 +-
- 4 files changed, 135 insertions(+), 60 deletions(-)
-
-diff --git a/src/sdpd-request.c b/src/sdpd-request.c
-index 033d1e5bf..c8f5a2c72 100644
---- a/src/sdpd-request.c
-+++ b/src/sdpd-request.c
-@@ -42,48 +42,78 @@ typedef struct {
-
- #define MIN(x, y) ((x) < (y)) ? (x): (y)
-
--typedef struct _sdp_cstate_list sdp_cstate_list_t;
-+typedef struct sdp_cont_info sdp_cont_info_t;
-
--struct _sdp_cstate_list {
-- sdp_cstate_list_t *next;
-+struct sdp_cont_info {
-+ int sock;
-+ uint8_t opcode;
- uint32_t timestamp;
- sdp_buf_t buf;
- };
-
--static sdp_cstate_list_t *cstates;
-+static sdp_list_t *cstates;
-
--/* FIXME: should probably remove it when it's found */
--static sdp_buf_t *sdp_get_cached_rsp(sdp_cont_state_t *cstate)
-+static int cstate_match(const void *data, const void *user_data)
- {
-- sdp_cstate_list_t *p;
-+ const sdp_cont_info_t *cinfo = data;
-+ const sdp_cont_state_t *cstate = user_data;
-
-- for (p = cstates; p; p = p->next) {
-- /* Check timestamp */
-- if (p->timestamp != cstate->timestamp)
-- continue;
-+ /* Check timestamp */
-+ return cinfo->timestamp - cstate->timestamp;
-+}
-+
-+static void sdp_cont_info_free(sdp_cont_info_t *cinfo)
-+{
-+ if (!cinfo)
-+ return;
-+
-+ cstates = sdp_list_remove(cstates, cinfo);
-+ free(cinfo->buf.data);
-+ free(cinfo);
-+}
-+
-+static sdp_cont_info_t *sdp_get_cont_info(sdp_req_t *req,
-+ sdp_cont_state_t *cstate)
-+{
-+ sdp_list_t *list;
-+
-+ list = sdp_list_find(cstates, cstate, cstate_match);
-+ if (list) {
-+ sdp_cont_info_t *cinfo = list->data;
-
-- /* Check if requesting more than available */
-- if (cstate->cStateValue.maxBytesSent < p->buf.data_size)
-- return &p->buf;
-+ if (cinfo->opcode == req->opcode)
-+ return cinfo;
-+
-+ /* Cleanup continuation if the opcode doesn't match since its
-+ * response buffer shall only be valid for the original requests
-+ */
-+ sdp_cont_info_free(cinfo);
-+ return NULL;
- }
-
-- return 0;
-+ /* Cleanup cstates if no continuation info could be found */
-+ sdp_cstate_cleanup(req->sock);
-+
-+ return NULL;
- }
-
--static uint32_t sdp_cstate_alloc_buf(sdp_buf_t *buf)
-+static uint32_t sdp_cstate_alloc_buf(sdp_req_t *req, sdp_buf_t *buf)
- {
-- sdp_cstate_list_t *cstate = malloc(sizeof(sdp_cstate_list_t));
-+ sdp_cont_info_t *cinfo = malloc(sizeof(sdp_cont_info_t));
- uint8_t *data = malloc(buf->data_size);
-
- memcpy(data, buf->data, buf->data_size);
-- memset((char *)cstate, 0, sizeof(sdp_cstate_list_t));
-- cstate->buf.data = data;
-- cstate->buf.data_size = buf->data_size;
-- cstate->buf.buf_size = buf->data_size;
-- cstate->timestamp = sdp_get_time();
-- cstate->next = cstates;
-- cstates = cstate;
-- return cstate->timestamp;
-+ memset(cinfo, 0, sizeof(sdp_cont_info_t));
-+ cinfo->buf.data = data;
-+ cinfo->buf.data_size = buf->data_size;
-+ cinfo->buf.buf_size = buf->data_size;
-+ cinfo->timestamp = sdp_get_time();
-+ cinfo->sock = req->sock;
-+ cinfo->opcode = req->opcode;
-+
-+ cstates = sdp_list_append(cstates, cinfo);
-+
-+ return cinfo->timestamp;
- }
-
- /* Additional values for checking datatype (not in spec) */
-@@ -274,14 +304,16 @@ static int sdp_set_cstate_pdu(sdp_buf_t *buf, sdp_cont_state_t *cstate)
- return length;
- }
-
--static int sdp_cstate_get(uint8_t *buffer, size_t len,
-- sdp_cont_state_t **cstate)
-+static int sdp_cstate_get(sdp_req_t *req, uint8_t *buffer, size_t len,
-+ sdp_cont_state_t **cstate, sdp_cont_info_t **cinfo)
- {
- uint8_t cStateSize = *buffer;
-
- SDPDBG("Continuation State size : %d", cStateSize);
-
- if (cStateSize == 0) {
-+ /* Cleanup cstates if request doesn't contain a cstate */
-+ sdp_cstate_cleanup(req->sock);
- *cstate = NULL;
- return 0;
- }
-@@ -306,6 +338,8 @@ static int sdp_cstate_get(uint8_t *buffer, size_t len,
- SDPDBG("Cstate TS : 0x%x", (*cstate)->timestamp);
- SDPDBG("Bytes sent : %d", (*cstate)->cStateValue.maxBytesSent);
-
-+ *cinfo = sdp_get_cont_info(req, *cstate);
-+
- return 0;
- }
-
-@@ -360,6 +394,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
- uint16_t expected, actual, rsp_count = 0;
- uint8_t dtd;
- sdp_cont_state_t *cstate = NULL;
-+ sdp_cont_info_t *cinfo = NULL;
- uint8_t *pCacheBuffer = NULL;
- int handleSize = 0;
- uint32_t cStateId = 0;
-@@ -399,9 +434,9 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
-
- /*
- * Check if continuation state exists, if yes attempt
-- * to get rsp remainder from cache, else send error
-+ * to get rsp remainder from continuation info, else send error
- */
-- if (sdp_cstate_get(pdata, data_left, &cstate) < 0) {
-+ if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) {
- status = SDP_INVALID_SYNTAX;
- goto done;
- }
-@@ -451,7 +486,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
-
- if (rsp_count > actual) {
- /* cache the rsp and generate a continuation state */
-- cStateId = sdp_cstate_alloc_buf(buf);
-+ cStateId = sdp_cstate_alloc_buf(req, buf);
- /*
- * subtract handleSize since we now send only
- * a subset of handles
-@@ -459,6 +494,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
- buf->data_size -= handleSize;
- } else {
- /* NULL continuation state */
-+ sdp_cont_info_free(cinfo);
- sdp_set_cstate_pdu(buf, NULL);
- }
- }
-@@ -468,13 +504,15 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
- short lastIndex = 0;
-
- if (cstate) {
-- /*
-- * Get the previous sdp_cont_state_t and obtain
-- * the cached rsp
-- */
-- sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
-- if (pCache) {
-- pCacheBuffer = pCache->data;
-+ if (cinfo) {
-+ /* Check if requesting more than available */
-+ if (cstate->cStateValue.maxBytesSent >=
-+ cinfo->buf.data_size) {
-+ status = SDP_INVALID_CSTATE;
-+ goto done;
-+ }
-+
-+ pCacheBuffer = cinfo->buf.data;
- /* get the rsp_count from the cached buffer */
- rsp_count = get_be16(pCacheBuffer);
-
-@@ -518,6 +556,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
- if (i == rsp_count) {
- /* set "null" continuationState */
- sdp_set_cstate_pdu(buf, NULL);
-+ sdp_cont_info_free(cinfo);
- } else {
- /*
- * there's more: set lastIndexSent to
-@@ -540,6 +579,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
-
- done:
- free(cstate);
-+
- if (pattern)
- sdp_list_free(pattern, free);
-
-@@ -619,15 +659,21 @@ static int extract_attrs(sdp_record_t *rec, sdp_list_t *seq, sdp_buf_t *buf)
- }
-
- /* Build cstate response */
--static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf,
-- uint16_t max)
-+static int sdp_cstate_rsp(sdp_cont_info_t *cinfo, sdp_cont_state_t *cstate,
-+ sdp_buf_t *buf, uint16_t max)
- {
-- /* continuation State exists -> get from cache */
-- sdp_buf_t *cache = sdp_get_cached_rsp(cstate);
-+ sdp_buf_t *cache;
- uint16_t sent;
-
-- if (!cache)
-+ if (!cinfo)
-+ return 0;
-+
-+ if (cstate->cStateValue.maxBytesSent >= cinfo->buf.data_size) {
-+ sdp_cont_info_free(cinfo);
- return 0;
-+ }
-+
-+ cache = &cinfo->buf;
-
- sent = MIN(max, cache->data_size - cstate->cStateValue.maxBytesSent);
- memcpy(buf->data, cache->data + cstate->cStateValue.maxBytesSent, sent);
-@@ -637,8 +683,10 @@ static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf,
- SDPDBG("Response size : %d sending now : %d bytes sent so far : %d",
- cache->data_size, sent, cstate->cStateValue.maxBytesSent);
-
-- if (cstate->cStateValue.maxBytesSent == cache->data_size)
-+ if (cstate->cStateValue.maxBytesSent == cache->data_size) {
-+ sdp_cont_info_free(cinfo);
- return sdp_set_cstate_pdu(buf, NULL);
-+ }
-
- return sdp_set_cstate_pdu(buf, cstate);
- }
-@@ -652,6 +700,7 @@ static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf,
- static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
- {
- sdp_cont_state_t *cstate = NULL;
-+ sdp_cont_info_t *cinfo = NULL;
- short cstate_size = 0;
- sdp_list_t *seq = NULL;
- uint8_t dtd = 0;
-@@ -708,7 +757,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
- * if continuation state exists, attempt
- * to get rsp remainder from cache, else send error
- */
-- if (sdp_cstate_get(pdata, data_left, &cstate) < 0) {
-+ if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) {
- status = SDP_INVALID_SYNTAX;
- goto done;
- }
-@@ -737,7 +786,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
- buf->buf_size -= sizeof(uint16_t);
-
- if (cstate) {
-- cstate_size = sdp_cstate_rsp(cstate, buf, max_rsp_size);
-+ cstate_size = sdp_cstate_rsp(cinfo, cstate, buf, max_rsp_size);
- if (!cstate_size) {
- status = SDP_INVALID_CSTATE;
- error("NULL cache buffer and non-NULL continuation state");
-@@ -749,7 +798,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf)
- sdp_cont_state_t newState;
-
- memset((char *)&newState, 0, sizeof(sdp_cont_state_t));
-- newState.timestamp = sdp_cstate_alloc_buf(buf);
-+ newState.timestamp = sdp_cstate_alloc_buf(req, buf);
- /*
- * Reset the buffer size to the maximum expected and
- * set the sdp_cont_state_t
-@@ -793,6 +842,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
- int scanned, rsp_count = 0;
- sdp_list_t *pattern = NULL, *seq = NULL, *svcList;
- sdp_cont_state_t *cstate = NULL;
-+ sdp_cont_info_t *cinfo = NULL;
- short cstate_size = 0;
- uint8_t dtd = 0;
- sdp_buf_t tmpbuf;
-@@ -852,7 +902,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
- * if continuation state exists attempt
- * to get rsp remainder from cache, else send error
- */
-- if (sdp_cstate_get(pdata, data_left, &cstate) < 0) {
-+ if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) {
- status = SDP_INVALID_SYNTAX;
- goto done;
- }
-@@ -906,7 +956,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
- sdp_cont_state_t newState;
-
- memset((char *)&newState, 0, sizeof(sdp_cont_state_t));
-- newState.timestamp = sdp_cstate_alloc_buf(buf);
-+ newState.timestamp = sdp_cstate_alloc_buf(req, buf);
- /*
- * Reset the buffer size to the maximum expected and
- * set the sdp_cont_state_t
-@@ -917,7 +967,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
- } else
- cstate_size = sdp_set_cstate_pdu(buf, NULL);
- } else {
-- cstate_size = sdp_cstate_rsp(cstate, buf, max);
-+ cstate_size = sdp_cstate_rsp(cinfo, cstate, buf, max);
- if (!cstate_size) {
- status = SDP_INVALID_CSTATE;
- SDPDBG("Non-null continuation state, but null cache buffer");
-@@ -974,6 +1024,9 @@ static void process_request(sdp_req_t *req)
- status = SDP_INVALID_PDU_SIZE;
- goto send_rsp;
- }
-+
-+ req->opcode = reqhdr->pdu_id;
-+
- switch (reqhdr->pdu_id) {
- case SDP_SVC_SEARCH_REQ:
- SDPDBG("Got a svc srch req");
-@@ -1020,6 +1073,8 @@ static void process_request(sdp_req_t *req)
-
- send_rsp:
- if (status) {
-+ /* Cleanup cstates on error */
-+ sdp_cstate_cleanup(req->sock);
- rsphdr->pdu_id = SDP_ERROR_RSP;
- put_be16(status, rsp.data);
- rsp.data_size = sizeof(uint16_t);
-@@ -1108,3 +1163,20 @@ void handle_request(int sk, uint8_t *data, int len)
-
- process_request(&req);
- }
-+
-+void sdp_cstate_cleanup(int sock)
-+{
-+ sdp_list_t *list;
-+
-+ /* Remove any cinfo for the client */
-+ for (list = cstates; list;) {
-+ sdp_cont_info_t *cinfo = list->data;
-+
-+ list = list->next;
-+
-+ if (cinfo->sock != sock)
-+ continue;
-+
-+ sdp_cont_info_free(cinfo);
-+ }
-+}
-diff --git a/src/sdpd-server.c b/src/sdpd-server.c
-index dfd8b1f00..66ee7ba14 100644
---- a/src/sdpd-server.c
-+++ b/src/sdpd-server.c
-@@ -146,16 +146,12 @@ static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer d
-
- sk = g_io_channel_unix_get_fd(chan);
-
-- if (cond & (G_IO_HUP | G_IO_ERR)) {
-- sdp_svcdb_collect_all(sk);
-- return FALSE;
-- }
-+ if (cond & (G_IO_HUP | G_IO_ERR))
-+ goto cleanup;
-
- len = recv(sk, &hdr, sizeof(sdp_pdu_hdr_t), MSG_PEEK);
-- if (len < 0 || (unsigned int) len < sizeof(sdp_pdu_hdr_t)) {
-- sdp_svcdb_collect_all(sk);
-- return FALSE;
-- }
-+ if (len < 0 || (unsigned int) len < sizeof(sdp_pdu_hdr_t))
-+ goto cleanup;
-
- size = sizeof(sdp_pdu_hdr_t) + ntohs(hdr.plen);
- buf = malloc(size);
-@@ -168,14 +164,18 @@ static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer d
- * inside handle_request() in order to produce ErrorResponse.
- */
- if (len <= 0) {
-- sdp_svcdb_collect_all(sk);
- free(buf);
-- return FALSE;
-+ goto cleanup;
- }
-
- handle_request(sk, buf, len);
-
- return TRUE;
-+
-+cleanup:
-+ sdp_svcdb_collect_all(sk);
-+ sdp_cstate_cleanup(sk);
-+ return FALSE;
- }
-
- static gboolean io_accept_event(GIOChannel *chan, GIOCondition cond, gpointer data)
-diff --git a/src/sdpd.h b/src/sdpd.h
-index 257411f03..4316aff67 100644
---- a/src/sdpd.h
-+++ b/src/sdpd.h
-@@ -27,8 +27,11 @@ typedef struct request {
- int flags;
- uint8_t *buf;
- int len;
-+ uint8_t opcode;
- } sdp_req_t;
-
-+void sdp_cstate_cleanup(int sock);
-+
- void handle_internal_request(int sk, int mtu, void *data, int len);
- void handle_request(int sk, uint8_t *data, int len);
-
-diff --git a/unit/test-sdp.c b/unit/test-sdp.c
-index d3a885f19..8f95fcb71 100644
---- a/unit/test-sdp.c
-+++ b/unit/test-sdp.c
-@@ -235,7 +235,7 @@ static gboolean client_handler(GIOChannel *channel, GIOCondition cond,
- tester_monitor('>', 0x0000, 0x0001, buf, len);
-
- g_assert(len > 0);
-- g_assert((size_t) len == rsp_pdu->raw_size + rsp_pdu->cont_len);
-+ g_assert_cmpuint(len, ==, rsp_pdu->raw_size + rsp_pdu->cont_len);
-
- g_assert(memcmp(buf, rsp_pdu->raw_data, rsp_pdu->raw_size) == 0);
-
---
-2.26.2
-
diff --git a/SOURCES/0002-mesh-appkey-Fix-memory-leaks.patch b/SOURCES/0002-mesh-appkey-Fix-memory-leaks.patch
new file mode 100644
index 0000000..42c767b
--- /dev/null
+++ b/SOURCES/0002-mesh-appkey-Fix-memory-leaks.patch
@@ -0,0 +1,43 @@
+From 5eb96b3ec8545047a74d7204664267c7aa749070 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:06 +0530
+Subject: [PATCH BlueZ 02/12] mesh/appkey: Fix memory leaks
+
+While performing the static analysis using the coverity tool found
+following memory leak reports
+
+bluez-5.64/mesh/appkey.c:143: leaked_storage: Variable "key" going
+out of scope leaks the storage it points to.
+
+Error: RESOURCE_LEAK (CWE-772):
+bluez-5.64/mesh/appkey.c:146: leaked_storage: Variable "key" going
+out of scope leaks the storage it points to.
+---
+ mesh/appkey.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/mesh/appkey.c b/mesh/appkey.c
+index 5088a1812..52fed8c31 100644
+--- a/mesh/appkey.c
++++ b/mesh/appkey.c
+@@ -139,11 +139,15 @@ bool appkey_key_init(struct mesh_net *net, uint16_t net_idx, uint16_t app_idx,
+ key->net_idx = net_idx;
+ key->app_idx = app_idx;
+
+- if (key_value && !set_key(key, app_idx, key_value, false))
++ if (key_value && !set_key(key, app_idx, key_value, false)) {
++ appkey_key_free(key);
+ return false;
++ }
+
+- if (new_key_value && !set_key(key, app_idx, new_key_value, true))
++ if (new_key_value && !set_key(key, app_idx, new_key_value, true)) {
++ appkey_key_free(key);
+ return false;
++ }
+
+ l_queue_push_tail(app_keys, key);
+
+--
+2.26.2
+
diff --git a/SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch b/SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
deleted file mode 100644
index d6dff2a..0000000
--- a/SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 36a44fc05feebe1aab16c33a1121f952986b2801 Mon Sep 17 00:00:00 2001
-From: Craig Andrews <candrews@integralblue.com>
-Date: Wed, 13 Sep 2017 15:23:09 +0200
-Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
-
-PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
-namespace. This is useful to secure access to temporary files of the
-process.
-
-NoNewPrivileges ensures that service process and all its children
-can never gain new privileges through execve(), lowering the risk of
-possible privilege escalations.
----
- src/bluetooth.service.in | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
-index f9faaa452..7c2f60bb4 100644
---- a/src/bluetooth.service.in
-+++ b/src/bluetooth.service.in
-@@ -12,8 +12,14 @@ NotifyAccess=main
- #Restart=on-failure
- CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
- LimitNPROC=1
-+
-+# Filesystem lockdown
- ProtectHome=true
- ProtectSystem=full
-+PrivateTmp=true
-+
-+# Privilege escalation
-+NoNewPrivileges=true
-
- [Install]
- WantedBy=bluetooth.target
---
-2.21.0
-
diff --git a/SOURCES/0003-monitor-Fix-memory-leaks.patch b/SOURCES/0003-monitor-Fix-memory-leaks.patch
new file mode 100644
index 0000000..ed78701
--- /dev/null
+++ b/SOURCES/0003-monitor-Fix-memory-leaks.patch
@@ -0,0 +1,38 @@
+From 6f02010ce0043ec2e17eb15f2a1dd42f6c64e223 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:07 +0530
+Subject: [PATCH BlueZ 03/12] monitor: Fix memory leaks
+
+While performing static tool analysis using coverity
+found following reports for resouse leak
+
+bluez-5.64/monitor/jlink.c:111: leaked_storage: Variable "so"
+going out of scope leaks the storage it points to.
+
+bluez-5.64/monitor/jlink.c:113: leaked_storage: Variable "so"
+going out of scope leaks the storage it points to.
+---
+ monitor/jlink.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/monitor/jlink.c b/monitor/jlink.c
+index 9aaa4ebd8..f1d8ce660 100644
+--- a/monitor/jlink.c
++++ b/monitor/jlink.c
+@@ -107,9 +107,12 @@ int jlink_init(void)
+ !jlink.tif_select || !jlink.setspeed ||
+ !jlink.connect || !jlink.getsn ||
+ !jlink.emu_getproductname ||
+- !jlink.rtterminal_control || !jlink.rtterminal_read)
++ !jlink.rtterminal_control || !jlink.rtterminal_read) {
++ dlclose(so);
+ return -EIO;
++ }
+
++ dlclose(so);
+ return 0;
+ }
+
+--
+2.26.2
+
diff --git a/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch b/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch
deleted file mode 100644
index d3d6dd4..0000000
--- a/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001
-From: Bastien Nocera <hadess@hadess.net>
-Date: Wed, 13 Sep 2017 15:37:11 +0200
-Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
-
-We can only access the configuration file as read-only and read-write
-to the Bluetooth cache directory and sub-directories.
----
- Makefile.am | 3 +++
- src/bluetooth.service.in | 4 ++++
- 2 files changed, 7 insertions(+)
-
-diff --git a/Makefile.am b/Makefile.am
-index ac88c12e0..0a6d09847 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -562,6 +562,9 @@ MAINTAINERCLEANFILES = Makefile.in \
-
- SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
- $(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
-+ -e 's,@libexecdir\@,$(libexecdir),g' \
-+ -e 's,@statedir\@,$(statedir),g' \
-+ -e 's,@confdir\@,$(confdir),g' \
- < $< > $@
-
- %.service: %.service.in Makefile
-diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
-index 7c2f60bb4..4daedef2a 100644
---- a/src/bluetooth.service.in
-+++ b/src/bluetooth.service.in
-@@ -17,6 +17,10 @@ LimitNPROC=1
- ProtectHome=true
- ProtectSystem=full
- PrivateTmp=true
-+ProtectKernelTunables=true
-+ProtectControlGroups=true
-+ReadWritePaths=@statedir@
-+ReadOnlyPaths=@confdir@
-
- # Privilege escalation
- NoNewPrivileges=true
---
-2.21.0
-
diff --git a/SOURCES/0004-sixaxis-Fix-memory-leaks.patch b/SOURCES/0004-sixaxis-Fix-memory-leaks.patch
new file mode 100644
index 0000000..b2f358c
--- /dev/null
+++ b/SOURCES/0004-sixaxis-Fix-memory-leaks.patch
@@ -0,0 +1,43 @@
+From fc57aa92a4f32f7c0f38198e6d26b529b537a047 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:08 +0530
+Subject: [PATCH BlueZ 04/12] sixaxis: Fix memory leaks
+
+While performing static tool analysis using coverity
+found following reports for resouse leak
+
+bluez-5.64/plugins/sixaxis.c:425: alloc_arg:
+"get_pairing_type_for_device" allocates memory that is
+stored into "sysfs_path".
+
+bluez-5.64/plugins/sixaxis.c:428: leaked_storage: Variable "sysfs_path"
+going out of scope leaks the storage it points to.
+---
+ plugins/sixaxis.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/sixaxis.c b/plugins/sixaxis.c
+index ddecbcccb..10cf15948 100644
+--- a/plugins/sixaxis.c
++++ b/plugins/sixaxis.c
+@@ -424,10 +424,15 @@ static void device_added(struct udev_device *udevice)
+
+ cp = get_pairing_type_for_device(udevice, &bus, &sysfs_path);
+ if (!cp || (cp->type != CABLE_PAIRING_SIXAXIS &&
+- cp->type != CABLE_PAIRING_DS4))
++ cp->type != CABLE_PAIRING_DS4)) {
++ g_free(sysfs_path);
+ return;
+- if (bus != BUS_USB)
++ }
++
++ if (bus != BUS_USB) {
++ g_free(sysfs_path);
+ return;
++ }
+
+ info("sixaxis: compatible device connected: %s (%04X:%04X %s)",
+ cp->name, cp->vid, cp->pid, sysfs_path);
+--
+2.26.2
+
diff --git a/SOURCES/0004-systemd-More-lockdown.patch b/SOURCES/0004-systemd-More-lockdown.patch
deleted file mode 100644
index 4f9c218..0000000
--- a/SOURCES/0004-systemd-More-lockdown.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From a6963e0402695d7b6a89c1b1c75c40dbd8fcde52 Mon Sep 17 00:00:00 2001
-From: Bastien Nocera <hadess@hadess.net>
-Date: Wed, 13 Sep 2017 15:38:26 +0200
-Subject: [PATCH 4/4] systemd: More lockdown
-
-bluetoothd does not need to execute mapped memory, or real-time
-access, so block those.
----
- src/bluetooth.service.in | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
-index 4daedef2a..f18801866 100644
---- a/src/bluetooth.service.in
-+++ b/src/bluetooth.service.in
-@@ -22,9 +22,15 @@ ProtectControlGroups=true
- ReadWritePaths=@statedir@
- ReadOnlyPaths=@confdir@
-
-+# Execute Mappings
-+MemoryDenyWriteExecute=true
-+
- # Privilege escalation
- NoNewPrivileges=true
-
-+# Real-time
-+RestrictRealtime=true
-+
- [Install]
- WantedBy=bluetooth.target
- Alias=dbus-org.bluez.service
---
-2.21.0
-
diff --git a/SOURCES/0005-cltest-Fix-leaked_handle.patch b/SOURCES/0005-cltest-Fix-leaked_handle.patch
new file mode 100644
index 0000000..c33047e
--- /dev/null
+++ b/SOURCES/0005-cltest-Fix-leaked_handle.patch
@@ -0,0 +1,29 @@
+From f4743109f381a4d53b476c5b77c7c68a6aa40b59 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:09 +0530
+Subject: [PATCH BlueZ 05/12] cltest: Fix leaked_handle
+
+While performing static tool analysis using coverity found
+following reports for resouse leak
+
+bluez-5.64/tools/cltest.c:75: leaked_handle: Handle variable "fd"
+going out of scope leaks the handle.
+---
+ tools/cltest.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/cltest.c b/tools/cltest.c
+index 2766fcd23..250c93cc7 100644
+--- a/tools/cltest.c
++++ b/tools/cltest.c
+@@ -72,6 +72,7 @@ static bool send_message(const bdaddr_t *src, const bdaddr_t *dst,
+ return false;
+ }
+
++ close(fd);
+ return true;
+ }
+
+--
+2.26.2
+
diff --git a/SOURCES/0005-media-rename-local-function-conflicting-with-pause-2.patch b/SOURCES/0005-media-rename-local-function-conflicting-with-pause-2.patch
deleted file mode 100644
index 1e84610..0000000
--- a/SOURCES/0005-media-rename-local-function-conflicting-with-pause-2.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 124dee151746b4a8a2e8a7194af78f2c82f75d79 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Wed, 3 Mar 2021 08:57:36 +0100
-Subject: [PATCH] media: rename local function conflicting with pause(2)
-
-profiles/audio/media.c:1284:13: error: conflicting types for 'pause'; have '_Bool(void *)'
- 1284 | static bool pause(void *user_data)
- | ^~~~~
-In file included from /usr/include/bits/sigstksz.h:24,
- from /usr/include/signal.h:315,
- from /usr/include/glib-2.0/glib/gbacktrace.h:36,
- from /usr/include/glib-2.0/glib.h:34,
- from profiles/audio/media.c:21:
-/usr/include/unistd.h:478:12: note: previous declaration of 'pause' with type 'int(void)'
- 478 | extern int pause (void);
- | ^~~~~
----
- profiles/audio/media.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/profiles/audio/media.c b/profiles/audio/media.c
-index c84bbe22dc..3d8c4b69c3 100644
---- a/profiles/audio/media.c
-+++ b/profiles/audio/media.c
-@@ -1281,7 +1281,7 @@ static bool stop(void *user_data)
- return media_player_send(mp, "Stop");
- }
-
--static bool pause(void *user_data)
-+static bool pause_play(void *user_data)
- {
- struct media_player *mp = user_data;
-
-@@ -1331,7 +1331,7 @@ static struct avrcp_player_cb player_cb = {
- .set_volume = set_volume,
- .play = play,
- .stop = stop,
-- .pause = pause,
-+ .pause = pause_play,
- .next = next,
- .previous = previous,
- };
diff --git a/SOURCES/0006-create-image-Fix-leaked_handle.patch b/SOURCES/0006-create-image-Fix-leaked_handle.patch
new file mode 100644
index 0000000..981dfc3
--- /dev/null
+++ b/SOURCES/0006-create-image-Fix-leaked_handle.patch
@@ -0,0 +1,47 @@
+From 4ae130455b173650f564d92f7908a7ca4f7b1ee6 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:10 +0530
+Subject: [PATCH BlueZ 06/12] create-image: Fix leaked_handle
+
+While performing static tool analysis using coverity found following
+reports for resouse leak
+
+bluez-5.64/tools/create-image.c:124: leaked_storage: Variable "map"
+going out of scope leaks the storage it points to.
+---
+ tools/create-image.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/tools/create-image.c b/tools/create-image.c
+index aba940da7..90cd87315 100644
+--- a/tools/create-image.c
++++ b/tools/create-image.c
+@@ -97,12 +97,13 @@ static void write_block(FILE *fp, const char *pathname, unsigned int ino,
+
+ map = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0);
+ if (!map || map == MAP_FAILED) {
+- close(fd);
+- fd = -1;
+ map = NULL;
+ st.st_size = 0;
+ }
+
++ close(fd);
++ fd = -1;
++
+ done:
+ fprintf(fp, HDR_FMT, HDR_MAGIC, ino, mode, 0, 0, 1, 0,
+ (uintmax_t) st.st_size, 0, 0, 0, 0, namelen + 1, 0, name);
+@@ -117,9 +118,7 @@ done:
+ pad = 3 - ((st.st_size + 3) % 4);
+ for (i = 0; i < pad; i++)
+ fputc(0, fp);
+-
+ munmap(map, st.st_size);
+- close(fd);
+ }
+ }
+
+--
+2.26.2
+
diff --git a/SOURCES/0007-l2cap-tester-Fix-leaked_handle.patch b/SOURCES/0007-l2cap-tester-Fix-leaked_handle.patch
new file mode 100644
index 0000000..c1b9472
--- /dev/null
+++ b/SOURCES/0007-l2cap-tester-Fix-leaked_handle.patch
@@ -0,0 +1,29 @@
+From 4334be027ae1ad50193025c90e77a76b64464b53 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:11 +0530
+Subject: [PATCH BlueZ 07/12] l2cap-tester: Fix leaked_handle
+
+While performing static tool analysis using coverity found following
+reports for resouse leak
+
+bluez-5.64/tools/l2cap-tester.c:1712: leaked_handle: Handle variable
+"new_sk" going out of scope leaks the handle.
+---
+ tools/l2cap-tester.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/l2cap-tester.c b/tools/l2cap-tester.c
+index d78b1e29c..3f0464013 100644
+--- a/tools/l2cap-tester.c
++++ b/tools/l2cap-tester.c
+@@ -1709,6 +1709,7 @@ static gboolean l2cap_listen_cb(GIOChannel *io, GIOCondition cond,
+
+ if (!check_mtu(data, new_sk)) {
+ tester_test_failed();
++ close(new_sk);
+ return FALSE;
+ }
+
+--
+2.26.2
+
diff --git a/SOURCES/0008-mesh-mesh-db-Fix-resource-leaks.patch b/SOURCES/0008-mesh-mesh-db-Fix-resource-leaks.patch
new file mode 100644
index 0000000..0def877
--- /dev/null
+++ b/SOURCES/0008-mesh-mesh-db-Fix-resource-leaks.patch
@@ -0,0 +1,33 @@
+From 35cbfd9660949fca23418bfa32fd51d81ed91208 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:12 +0530
+Subject: [PATCH BlueZ 08/12] mesh/mesh-db: Fix resource leaks
+
+While performing static tool analysis using coverity found following
+reports for resouse leak
+
+bluez-5.64/tools/mesh/mesh-db.c:2388: leaked_handle: Handle variable
+"fd" going out of scope leaks the handle.
+
+bluez-5.64/tools/mesh/mesh-db.c:2388: leaked_storage: Variable "str"
+going out of scope leaks the storage it points to.
+---
+ tools/mesh/mesh-db.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/mesh/mesh-db.c b/tools/mesh/mesh-db.c
+index fa11837df..896ff722c 100644
+--- a/tools/mesh/mesh-db.c
++++ b/tools/mesh/mesh-db.c
+@@ -2384,6 +2384,8 @@ bool mesh_db_load(const char *fname)
+
+ sz = read(fd, str, st.st_size);
+ if (sz != st.st_size) {
++ close(fd);
++ l_free(str);
+ l_error("Failed to read configuration file %s", fname);
+ return false;
+ }
+--
+2.26.2
+
diff --git a/SOURCES/0009-obex-client-Fix-leaked_handle.patch b/SOURCES/0009-obex-client-Fix-leaked_handle.patch
new file mode 100644
index 0000000..1611717
--- /dev/null
+++ b/SOURCES/0009-obex-client-Fix-leaked_handle.patch
@@ -0,0 +1,29 @@
+From 39b638526d9a45d54d2d6e3f175fd7eb057ef8f0 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:13 +0530
+Subject: [PATCH BlueZ 09/12] obex-client: Fix leaked_handle
+
+While performing static tool analysis using coverity found following
+reports for resouse leak
+
+bluez-5.64/tools/obex-client-tool.c:315: leaked_handle: Handle variable
+"sk" going out of scope leaks the handle.
+---
+ tools/obex-client-tool.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/obex-client-tool.c b/tools/obex-client-tool.c
+index ab9332896..cb0e41247 100644
+--- a/tools/obex-client-tool.c
++++ b/tools/obex-client-tool.c
+@@ -312,6 +312,7 @@ static GIOChannel *unix_connect(GObexTransportType transport)
+ if (connect(sk, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
+ err = errno;
+ g_printerr("connect: %s (%d)\n", strerror(err), err);
++ close(sk);
+ return NULL;
+ }
+
+--
+2.26.2
+
diff --git a/SOURCES/0010-pbap-Fix-memory-leak.patch b/SOURCES/0010-pbap-Fix-memory-leak.patch
new file mode 100644
index 0000000..6bcceb2
--- /dev/null
+++ b/SOURCES/0010-pbap-Fix-memory-leak.patch
@@ -0,0 +1,34 @@
+From 06d3c7429ad6bdf6eef1bcedee327e74a33c40bf Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:15 +0530
+Subject: [PATCH BlueZ 10/12] pbap: Fix memory leak
+
+Reported by coverity tool as follows:
+
+bluez-5.64/obexd/client/pbap.c:929: leaked_storage: Variable "apparam"
+going out of scope leaks the storage it points to.
+---
+ obexd/client/pbap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c
+index 1a2bacc9f..1ed8c68ec 100644
+--- a/obexd/client/pbap.c
++++ b/obexd/client/pbap.c
+@@ -925,10 +925,11 @@ static DBusMessage *pbap_search(DBusConnection *connection,
+ return g_dbus_create_error(message,
+ ERROR_INTERFACE ".InvalidArguments", NULL);
+
+- if (dbus_message_iter_get_arg_type(&args) != DBUS_TYPE_STRING)
++ if (dbus_message_iter_get_arg_type(&args) != DBUS_TYPE_STRING) {
++ g_obex_apparam_free(apparam);
+ return g_dbus_create_error(message,
+ ERROR_INTERFACE ".InvalidArguments", NULL);
+-
++ }
+ dbus_message_iter_get_basic(&args, &value);
+ dbus_message_iter_next(&args);
+
+--
+2.26.2
+
diff --git a/SOURCES/0011-meshctl-Fix-possible-use_after_free.patch b/SOURCES/0011-meshctl-Fix-possible-use_after_free.patch
new file mode 100644
index 0000000..76903b1
--- /dev/null
+++ b/SOURCES/0011-meshctl-Fix-possible-use_after_free.patch
@@ -0,0 +1,30 @@
+From 56bda20ce9e3e5c4684b37cffd4527264c2b4c1e Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:16 +0530
+Subject: [PATCH BlueZ 11/12] meshctl: Fix possible use_after_free
+
+Reported by coverity tool as follows :
+
+bluez-5.64/tools/meshctl.c:1968: freed_arg: "g_free" frees "mesh_dir".
+
+bluez-5.64/tools/meshctl.c:2018: double_free: Calling "g_free" frees
+pointer "mesh_dir" which has already been freed.
+---
+ tools/meshctl.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/meshctl.c b/tools/meshctl.c
+index 18e20c40d..38ffd35f3 100644
+--- a/tools/meshctl.c
++++ b/tools/meshctl.c
+@@ -2015,7 +2015,6 @@ int main(int argc, char *argv[])
+
+ fail:
+ bt_shell_cleanup();
+- g_free(mesh_dir);
+
+ return EXIT_FAILURE;
+ }
+--
+2.26.2
+
diff --git a/SOURCES/0012-mesh-gatt-Fix-use_after_free.patch b/SOURCES/0012-mesh-gatt-Fix-use_after_free.patch
new file mode 100644
index 0000000..234aaea
--- /dev/null
+++ b/SOURCES/0012-mesh-gatt-Fix-use_after_free.patch
@@ -0,0 +1,34 @@
+From 5cdaeaefc350ea3c42719284b88406579d032fb6 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:17 +0530
+Subject: [PATCH BlueZ 12/12] mesh-gatt: Fix use_after_free
+
+Following scenario happens when prov is false and we have double free as
+mentioned in the below
+
+bluez-5.64/tools/mesh-gatt/prov-db.c:847: freed_arg: "g_free" frees
+"in_str".
+
+bluez-5.64/tools/mesh-gatt/prov-db.c:867: double_free: Calling "g_free"
+frees pointer "in_str" which has already been freed.
+---
+ tools/mesh-gatt/prov-db.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/mesh-gatt/prov-db.c b/tools/mesh-gatt/prov-db.c
+index 2fb08f799..a5b6997e0 100644
+--- a/tools/mesh-gatt/prov-db.c
++++ b/tools/mesh-gatt/prov-db.c
+@@ -859,7 +859,8 @@ bool prov_db_local_set_iv_index(uint32_t iv_index, bool update, bool prov)
+
+ set_local_iv_index(jmain, iv_index, update);
+ prov_file_write(jmain, false);
+- }
++ } else
++ return true;
+
+ res = true;
+ done:
+--
+2.26.2
+
diff --git a/SOURCES/bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch b/SOURCES/bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch
deleted file mode 100644
index c2e3415..0000000
--- a/SOURCES/bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 28ddec8d6b829e002fa268c07b71e4c564ba9e16 Mon Sep 17 00:00:00 2001
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Date: Thu, 11 Mar 2021 07:36:07 -0800
-Subject: [PATCH] avdtp: Fix removing all remote SEPs when loading from cache
-
-If avdtp_discover is called after cache has been loaded it end up
-removing all remote SEPs as they have not been discovered yet.
-
-Fixes: https://github.com/bluez/bluez/issues/102
----
- profiles/audio/avdtp.c | 16 ++++++++++++----
- 1 file changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
-index 088ca58b3..1d5871c62 100644
---- a/profiles/audio/avdtp.c
-+++ b/profiles/audio/avdtp.c
-@@ -3381,10 +3381,18 @@ int avdtp_discover(struct avdtp *session, avdtp_discover_cb_t cb,
- session->discover = g_new0(struct discover_callback, 1);
-
- if (session->seps) {
-- session->discover->cb = cb;
-- session->discover->user_data = user_data;
-- session->discover->id = g_idle_add(process_discover, session);
-- return 0;
-+ struct avdtp_remote_sep *sep = session->seps->data;
-+
-+ /* Check that SEP have been discovered as it may be loaded from
-+ * cache.
-+ */
-+ if (sep->discovered) {
-+ session->discover->cb = cb;
-+ session->discover->user_data = user_data;
-+ session->discover->id = g_idle_add(process_discover,
-+ session);
-+ return 0;
-+ }
- }
-
- err = send_request(session, FALSE, NULL, AVDTP_DISCOVER, NULL, 0);
-
diff --git a/SPECS/bluez.spec b/SPECS/bluez.spec
index 2922a53..c6669b6 100644
--- a/SPECS/bluez.spec
+++ b/SPECS/bluez.spec
@@ -5,8 +5,8 @@
%endif
Name: bluez
-Version: 5.56
-Release: 8%{?dist}
+Version: 5.64
+Release: 2%{?dist}
Summary: Bluetooth utilities
License: GPLv2+
URL: http://www.bluez.org/
@@ -17,13 +17,25 @@ Source1: bluez.gitignore
# https://github.com/hadess/bluez/commits/obex-5.46
Patch1: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
# https://github.com/hadess/bluez/commits/systemd-hardening
-Patch10: 0001-build-Always-define-confdir-and-statedir.patch
-Patch11: 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
-Patch12: 0003-systemd-Add-more-filesystem-lockdown.patch
-Patch13: 0004-systemd-More-lockdown.patch
-Patch14: 0005-media-rename-local-function-conflicting-with-pause-2.patch
-Patch15: bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch
-Patch16: 0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch
+#Patch10: 0001-build-Always-define-confdir-and-statedir.patch
+#Patch11: 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
+#Patch12: 0003-systemd-Add-more-filesystem-lockdown.patch
+#Patch13: 0004-systemd-More-lockdown.patch
+#Patch14: 0005-media-rename-local-function-conflicting-with-pause-2.patch
+#Patch15: bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch
+Patch2: 0001-client-gatt-Fix-memory-leak-issues.patch
+Patch3: 0002-mesh-appkey-Fix-memory-leaks.patch
+Patch4: 0003-monitor-Fix-memory-leaks.patch
+Patch5: 0004-sixaxis-Fix-memory-leaks.patch
+Patch6: 0005-cltest-Fix-leaked_handle.patch
+Patch7: 0006-create-image-Fix-leaked_handle.patch
+Patch8: 0007-l2cap-tester-Fix-leaked_handle.patch
+Patch9: 0008-mesh-mesh-db-Fix-resource-leaks.patch
+Patch10: 0009-obex-client-Fix-leaked_handle.patch
+Patch11: 0010-pbap-Fix-memory-leak.patch
+Patch12: 0011-meshctl-Fix-possible-use_after_free.patch
+Patch13: 0012-mesh-gatt-Fix-use_after_free.patch
+Patch14: 0001-gatt-Fix-double-free-and-freed-memory-dereference.patch
BuildRequires: dbus-devel >= 1.6
BuildRequires: glib2-devel
@@ -39,6 +51,8 @@ BuildRequires: systemd-devel
BuildRequires: cups-devel
# For autoreconf
BuildRequires: libtool automake autoconf
+# For man pages
+BuildRequires: python3-docutils
Requires: dbus >= 1.6
Requires(post): systemd
@@ -147,7 +161,7 @@ Object Exchange daemon for sharing files, contacts etc over bluetooth
%build
autoreconf -vif
-%configure --enable-tools --enable-library \
+%configure --enable-tools --enable-library --disable-optimization \
%if %{with deprecated}
--enable-deprecated \
%endif
@@ -248,6 +262,7 @@ install emulator/btvirt ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
%{_bindir}/mpris-proxy
%{_bindir}/rctest
%{_mandir}/man1/btattach.1.*
+%{_mandir}/man1/btmon.1.*
%{_mandir}/man1/l2ping.1.*
%{_mandir}/man1/rctest.1.*
%{_mandir}/man8/bluetoothd.8.*
@@ -305,10 +320,12 @@ install emulator/btvirt ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
%config %{_sysconfdir}/dbus-1/system.d/bluetooth-mesh.conf
%{_bindir}/meshctl
%{_bindir}/mesh-cfgclient
+%{_bindir}/mesh-cfgtest
%{_datadir}/dbus-1/system-services/org.bluez.mesh.service
%{_libexecdir}/bluetooth/bluetooth-meshd
%{_unitdir}/bluetooth-mesh.service
%{_localstatedir}/lib/bluetooth/mesh
+%{_mandir}/man8/bluetooth-meshd.8*
%files obexd
%{_libexecdir}/bluetooth/obexd
@@ -316,6 +333,11 @@ install emulator/btvirt ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
%{_userunitdir}/obex.service
%changelog
+* Thu Jun 9 2022 Gopal Tiwari <gtiwari@redhat.com> - 5.64-2
+- Coverity fixes for bluez.
+
+* Thu May 5 2022 Gopal Tiwari <gtiwari@redhat.com> - 5.64-1
+- Update to 5.64
* Fri Dec 16 2021 Gopal Tiwari <gtiwari@redhat.com> - 5.56-8
- Fixing Gating and version