Commit d391de45 authored by Pete Tucker's avatar Pete Tucker
Browse files

Add fix for Blueborne vulnerability to helium

parent 6283b8b1
Description: validate continuation requested data size
Origin: Armis Security <security@armis.com>
CVE-2017-1000250
Included is our offered patch for the information leak vulnerability:
diff --git a/src/sdpd-request.c b/src/sdpd-request.c
index 1eefdce..ddeea7f 100644
--- a/src/sdpd-request.c
+++ b/src/sdpd-request.c
@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
/* continuation State exists -> get from cache */
sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
if (pCache) {
- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
- pResponse = pCache->data;
- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
- buf->data_size += sent;
- cstate->cStateValue.maxBytesSent += sent;
- if (cstate->cStateValue.maxBytesSent == pCache->data_size)
- cstate_size = sdp_set_cstate_pdu(buf, NULL);
- else
- cstate_size = sdp_set_cstate_pdu(buf, cstate);
+ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
+ status = SDP_INVALID_CSTATE;
+ SDPDBG("Got bad cstate with invalid size");
+ } else {
+ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+ pResponse = pCache->data;
+ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+ buf->data_size += sent;
+ cstate->cStateValue.maxBytesSent += sent;
+ if (cstate->cStateValue.maxBytesSent == pCache->data_size)
+ cstate_size = sdp_set_cstate_pdu(buf, NULL);
+ else
+ cstate_size = sdp_set_cstate_pdu(buf, cstate);
+ }
} else {
status = SDP_INVALID_CSTATE;
SDPDBG("Non-null continuation state, but null cache buffer");
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
SRC_URI += "\
file://CVE-2017-1000250.patch \
"
......@@ -14,7 +14,7 @@ PV .= "4.1-1.0+git${SRCPV}"
SRCBRANCH = "master"
#Always update SRCREV based on your last commit
SRCREV = "7aaa37ed45537645c16689257d6d396e0e2dbfba"
SRCREV = "2e20945aced2e9c27f95ede25affc86d6bbcd7b5"
SRC_URI = "git://git.rigado.com/vesta/linux-fslc-imx-4.1-1.0.git;protocol=https;branch=${SRCBRANCH}; \
file://defconfig"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment