sdpd heap fixes

Resolves: rhbz#1490911
This commit is contained in:
Don Zickus 2017-09-11 12:24:56 -04:00
parent 9089a629a1
commit 268965a3ff
2 changed files with 62 additions and 1 deletions

View File

@ -0,0 +1,55 @@
From 6821472c7509c54c5b1ef4744af8f6eab9be4aa7 Mon Sep 17 00:00:00 2001
From: Fedora Bluez maintainers <bluez-owner@fedoraproject.org>
Date: Mon, 11 Sep 2017 11:19:18 -0400
Subject: [PATCH] Out of bounds heap read in service_search_attr_req function
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When a long response is returned to a specific search attribute request, a
continuation state is returned to allow reception of additional fragments, via
additional requests that contain the last continuation state sent. However, the
incoming “cstate” that requests additional fragments isnt validated properly,
and thus an out-of-bounds read of the response buffer (pResponse) can be
achieved, leading to information disclosure of the heap.
---
src/sdpd-request.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/src/sdpd-request.c b/src/sdpd-request.c
index 1eefdce..ddeea7f 100644
--- a/src/sdpd-request.c
+++ b/src/sdpd-request.c
@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
/* continuation State exists -> get from cache */
sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
if (pCache) {
- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
- pResponse = pCache->data;
- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
- buf->data_size += sent;
- cstate->cStateValue.maxBytesSent += sent;
- if (cstate->cStateValue.maxBytesSent == pCache->data_size)
- cstate_size = sdp_set_cstate_pdu(buf, NULL);
- else
- cstate_size = sdp_set_cstate_pdu(buf, cstate);
+ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
+ status = SDP_INVALID_CSTATE;
+ SDPDBG("Got bad cstate with invalid size");
+ } else {
+ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+ pResponse = pCache->data;
+ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+ buf->data_size += sent;
+ cstate->cStateValue.maxBytesSent += sent;
+ if (cstate->cStateValue.maxBytesSent == pCache->data_size)
+ cstate_size = sdp_set_cstate_pdu(buf, NULL);
+ else
+ cstate_size = sdp_set_cstate_pdu(buf, cstate);
+ }
} else {
status = SDP_INVALID_CSTATE;
SDPDBG("Non-null continuation state, but null cache buffer");
--
2.13.5

View File

@ -1,7 +1,7 @@
Name: bluez
Summary: Bluetooth utilities
Version: 5.46
Release: 5%{?dist}
Release: 6%{?dist}
License: GPLv2+
URL: http://www.bluez.org/
@ -39,6 +39,8 @@ Patch107: 0007-plugins-sixaxis-Rename-sixaxis-specific-functions.patch
Patch108: 0008-plugins-sixaxis-Add-support-for-DualShock-4-PS4-cabl.patch
Patch109: 0009-plugins-sixaxis-Cancel-cable-pairing-if-unplugged.patch
Patch110: 0010-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch
BuildRequires: git-core
BuildRequires: dbus-devel >= 1.6
BuildRequires: glib2-devel
@ -265,6 +267,10 @@ install -D -p -m0755 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
%{_userunitdir}/obex.service
%changelog
* Mon Sep 11 2017 Don Zickus <dzickus@redhat.com> - 5.46-6
- sdpd heap fixes
Resolves: rhbz#1490911
* Thu Sep 07 2017 Hans de Goede <hdegoede@redhat.com> - 5.46-5
- Add scripts to automatically btattach serial-port / uart connected
Broadcom HCIs found on some Atom based x86 hardware