From ca7eda03ee40a66453e17f9cccec1ef3bddefb86 Mon Sep 17 00:00:00 2001
From: David Mondou <david.mondou@rigado.com>
Date: Wed, 13 Sep 2017 17:03:28 -0700
Subject: [PATCH] ES-217 added CVE-2017-1000250 patch for bluez. Update Linux
 commit id to latest commit which includes blueborne fix.

---
 recipes-connectivity/bluez5/bluez5.inc        |  1 +
 .../bluez5/bluez5/CVE-2017-1000250.patch      | 41 +++++++++++++++++++
 recipes-kernel/linux/linux-vesta_4.1-1.0.bb   |  2 +-
 3 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 recipes-connectivity/bluez5/bluez5/CVE-2017-1000250.patch

diff --git a/recipes-connectivity/bluez5/bluez5.inc b/recipes-connectivity/bluez5/bluez5.inc
index d361f6a..6aea48b 100644
--- a/recipes-connectivity/bluez5/bluez5.inc
+++ b/recipes-connectivity/bluez5/bluez5.inc
@@ -23,6 +23,7 @@ SRC_URI = "\
     file://run-ptest \
     ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
     file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
+    file://CVE-2017-1000250.patch \
 "
 S = "${WORKDIR}/bluez-${PV}"
 
diff --git a/recipes-connectivity/bluez5/bluez5/CVE-2017-1000250.patch b/recipes-connectivity/bluez5/bluez5/CVE-2017-1000250.patch
new file mode 100644
index 0000000..afb3d8c
--- /dev/null
+++ b/recipes-connectivity/bluez5/bluez5/CVE-2017-1000250.patch
@@ -0,0 +1,41 @@
+Description: validate continuation requested data size
+Origin: Armis Security <security@armis.com>
+
+CVE-2017-1000250
+
+Included is our offered patch for the information leak vulnerability:
+
+diff --git a/src/sdpd-request.c b/src/sdpd-request.c
+index 1eefdce..ddeea7f 100644
+--- a/src/sdpd-request.c
++++ b/src/sdpd-request.c
+@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
+ 		/* continuation State exists -> get from cache */
+ 		sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+ 		if (pCache) {
+-			uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+-			pResponse = pCache->data;
+-			memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+-			buf->data_size += sent;
+-			cstate->cStateValue.maxBytesSent += sent;
+-			if (cstate->cStateValue.maxBytesSent == pCache->data_size)
+-				cstate_size = sdp_set_cstate_pdu(buf, NULL);
+-			else
+-				cstate_size = sdp_set_cstate_pdu(buf, cstate);
++			if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
++				status = SDP_INVALID_CSTATE;
++				SDPDBG("Got bad cstate with invalid size");
++			} else {
++				uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
++				pResponse = pCache->data;
++				memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
++				buf->data_size += sent;
++				cstate->cStateValue.maxBytesSent += sent;
++				if (cstate->cStateValue.maxBytesSent == pCache->data_size)
++					cstate_size = sdp_set_cstate_pdu(buf, NULL);
++				else
++					cstate_size = sdp_set_cstate_pdu(buf, cstate);
++			}
+ 		} else {
+ 			status = SDP_INVALID_CSTATE;
+ 			SDPDBG("Non-null continuation state, but null cache buffer");
diff --git a/recipes-kernel/linux/linux-vesta_4.1-1.0.bb b/recipes-kernel/linux/linux-vesta_4.1-1.0.bb
index b0ae663..3023ea0 100644
--- a/recipes-kernel/linux/linux-vesta_4.1-1.0.bb
+++ b/recipes-kernel/linux/linux-vesta_4.1-1.0.bb
@@ -14,7 +14,7 @@ PV .= "4.1-1.0+git${SRCPV}"
 SRCBRANCH = "master"
 
 #Always update SRCREV based on your last commit
-SRCREV = "c6cd5bcb1d379acf59374b75b13a2b4bd558931d"
+SRCREV = "2e20945aced2e9c27f95ede25affc86d6bbcd7b5"
 
 SRC_URI = "git://git.rigado.com/vesta/linux-fslc-imx-4.1-1.0.git;protocol=https;branch=${SRCBRANCH}; \ 
            file://defconfig"
-- 
GitLab