sysmo-bts
/
generic-poky
9
0
Fork 0
Code Pull Requests Releases Activity

bluez5: fix out-of-bounds access in SDP server (CVE-2017-1000250) 

All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an
information disclosure vulnerability which allows remote attackers to obtain
sensitive information from the bluetoothd process memory. This vulnerability
lies in the processing of SDP search attribute requests.

(From OE-Core rev: d25716ceb3ffcdfcfa54516596bd94bf5c050bac)

(From OE-Core rev: c8f4cd337b9cc5c5c3fc40c6a6d8d2394fdc9ea3)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Ross Burton 2017-09-13 16:59:09 +01:00 committed by Richard Purdie
parent 2b3db17bd8
commit 4992fc465d
2 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
meta/recipes-connectivity/bluez5/bluez5.inc
View File

@ -24,6 +24,7 @@ SRC_URI = "\
file://run-ptest \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
file://cve-2017-1000250.patch \
"
S = "${WORKDIR}/bluez-${PV}"

34
meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch Normal file
View File

@ -0,0 +1,34 @@
All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an
information disclosure vulnerability which allows remote attackers to obtain
sensitive information from the bluetoothd process memory. This vulnerability
lies in the processing of SDP search attribute requests.
CVE: CVE-2017-1000250
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@intel.com>
From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed, 13 Sep 2017 10:01:40 +0300
Subject: sdp: Fix Out-of-bounds heap read in service_search_attr_req function
Check if there is enough data to continue otherwise return an error.
---
src/sdpd-request.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/sdpd-request.c b/src/sdpd-request.c
index 1eefdce..318d044 100644
--- a/src/sdpd-request.c
+++ b/src/sdpd-request.c
@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
} else {
/* continuation State exists -> get from cache */
sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
- if (pCache) {
+ if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) {
uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
pResponse = pCache->data;
memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
--
cgit v1.1