Skip to content
Snippets Groups Projects
Commit af5aacfd authored by David Mondou's avatar David Mondou
Browse files

Merge branch 'fix/bluebourne' into 'master'

ES-217 added CVE-2017-1000250 patch for bluez.

See merge request !42
parents 5d08d12f ca7eda03
No related branches found
No related tags found
No related merge requests found
......@@ -23,6 +23,7 @@ SRC_URI = "\
file://run-ptest \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
file://CVE-2017-1000250.patch \
"
S = "${WORKDIR}/bluez-${PV}"
......
Description: validate continuation requested data size
Origin: Armis Security <security@armis.com>
CVE-2017-1000250
Included is our offered patch for the information leak vulnerability:
diff --git a/src/sdpd-request.c b/src/sdpd-request.c
index 1eefdce..ddeea7f 100644
--- a/src/sdpd-request.c
+++ b/src/sdpd-request.c
@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
/* continuation State exists -> get from cache */
sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
if (pCache) {
- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
- pResponse = pCache->data;
- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
- buf->data_size += sent;
- cstate->cStateValue.maxBytesSent += sent;
- if (cstate->cStateValue.maxBytesSent == pCache->data_size)
- cstate_size = sdp_set_cstate_pdu(buf, NULL);
- else
- cstate_size = sdp_set_cstate_pdu(buf, cstate);
+ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
+ status = SDP_INVALID_CSTATE;
+ SDPDBG("Got bad cstate with invalid size");
+ } else {
+ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+ pResponse = pCache->data;
+ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+ buf->data_size += sent;
+ cstate->cStateValue.maxBytesSent += sent;
+ if (cstate->cStateValue.maxBytesSent == pCache->data_size)
+ cstate_size = sdp_set_cstate_pdu(buf, NULL);
+ else
+ cstate_size = sdp_set_cstate_pdu(buf, cstate);
+ }
} else {
status = SDP_INVALID_CSTATE;
SDPDBG("Non-null continuation state, but null cache buffer");
......@@ -14,7 +14,7 @@ PV .= "4.1-1.0+git${SRCPV}"
SRCBRANCH = "master"
#Always update SRCREV based on your last commit
SRCREV = "c6cd5bcb1d379acf59374b75b13a2b4bd558931d"
SRCREV = "2e20945aced2e9c27f95ede25affc86d6bbcd7b5"
SRC_URI = "git://git.rigado.com/vesta/linux-fslc-imx-4.1-1.0.git;protocol=https;branch=${SRCBRANCH}; \
file://defconfig"
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment