diff --git a/SOURCES/0001-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch b/SOURCES/0001-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch new file mode 100644 index 0000000..cb71522 --- /dev/null +++ b/SOURCES/0001-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch @@ -0,0 +1,55 @@ +From 6821472c7509c54c5b1ef4744af8f6eab9be4aa7 Mon Sep 17 00:00:00 2001 +From: Fedora Bluez maintainers +Date: Mon, 11 Sep 2017 11:19:18 -0400 +Subject: [PATCH] Out of bounds heap read in service_search_attr_req function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When a long response is returned to a specific search attribute request, a +continuation state is returned to allow reception of additional fragments, via +additional requests that contain the last continuation state sent. However, the +incoming “cstate” that requests additional fragments isn’t validated properly, +and thus an out-of-bounds read of the response buffer (pResponse) can be +achieved, leading to information disclosure of the heap. +--- + src/sdpd-request.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/src/sdpd-request.c b/src/sdpd-request.c +index 1eefdce..ddeea7f 100644 +--- a/src/sdpd-request.c ++++ b/src/sdpd-request.c +@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf) + /* continuation State exists -> get from cache */ + sdp_buf_t *pCache = sdp_get_cached_rsp(cstate); + if (pCache) { +- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); +- pResponse = pCache->data; +- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); +- buf->data_size += sent; +- cstate->cStateValue.maxBytesSent += sent; +- if (cstate->cStateValue.maxBytesSent == pCache->data_size) +- cstate_size = sdp_set_cstate_pdu(buf, NULL); +- else +- cstate_size = sdp_set_cstate_pdu(buf, cstate); ++ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) { ++ status = SDP_INVALID_CSTATE; ++ SDPDBG("Got bad cstate with invalid size"); ++ } else { ++ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); ++ pResponse = pCache->data; ++ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); ++ buf->data_size += sent; ++ cstate->cStateValue.maxBytesSent += sent; ++ if (cstate->cStateValue.maxBytesSent == pCache->data_size) ++ cstate_size = sdp_set_cstate_pdu(buf, NULL); ++ else ++ cstate_size = sdp_set_cstate_pdu(buf, cstate); ++ } + } else { + status = SDP_INVALID_CSTATE; + SDPDBG("Non-null continuation state, but null cache buffer"); +-- +2.13.5 + diff --git a/SPECS/bluez.spec b/SPECS/bluez.spec index 92954ba..651a5e5 100644 --- a/SPECS/bluez.spec +++ b/SPECS/bluez.spec @@ -1,7 +1,7 @@ Summary: Bluetooth utilities Name: bluez Version: 5.44 -Release: 2%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: Applications/System URL: http://www.bluez.org/ @@ -16,6 +16,7 @@ Patch3: 0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch Patch4: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch Patch5: 0002-autopair-Don-t-handle-the-iCade.patch Patch7: 0004-agent-Assert-possible-infinite-loop.patch +Patch8: 0001-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch %global _hardened_build 1 @@ -251,6 +252,14 @@ sed -i 's/#\[Policy\]$/\[Policy\]/; s/#AutoEnable=false/AutoEnable=false/' ${RPM /lib/udev/rules.d/97-hid2hci.rules %changelog +* Mon Sep 11 2017 Don Zickus 5.44-4 +- forgot to bump rev +Resolves: #1490010 + +* Mon Sep 11 2017 Don Zickus 5.44-3 +- sdpd heap fix +Resolves: #1490010 + * Mon Mar 27 2017 David Arcari 5.44-2 - added missing updates for sources and .gitignore Resolves: #1434581, #1401501