diff options
| author | Efraim Flashner <efraim@flashner.co.il> | 2017-10-01 19:59:55 +0300 |
|---|---|---|
| committer | Efraim Flashner <efraim@flashner.co.il> | 2017-10-01 22:16:22 +0300 |
| commit | 64df08f0cfac8f7a329002afa3461fd62a4b229c (patch) | |
| tree | 019909423138ceb49cdd86f1af48d366503db68f /gnu/packages/patches/bluez-CVE-2017-1000250.patch | |
| parent | b83ad3ace56c65a367e8f58c7b78323cf251b94b (diff) | |
| parent | 0ef1c223071869488c35b72b7407234c11425589 (diff) | |
Merge remote-tracking branch 'origin/master' into core-updates
Diffstat (limited to 'gnu/packages/patches/bluez-CVE-2017-1000250.patch')
| -rw-r--r-- | gnu/packages/patches/bluez-CVE-2017-1000250.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/gnu/packages/patches/bluez-CVE-2017-1000250.patch b/gnu/packages/patches/bluez-CVE-2017-1000250.patch new file mode 100644 index 0000000000..81f209d7b2 --- /dev/null +++ b/gnu/packages/patches/bluez-CVE-2017-1000250.patch @@ -0,0 +1,42 @@ +Description: CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req +Origin: vendor +Bug-Debian: https://bugs.debian.org/875633 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1489446 +Bug-SuSE: https://bugzilla.suse.com/show_bug.cgi?id=1057342 +Forwarded: no +Author: Armis Security <security@armis.com> +Reviewed-by: Salvatore Bonaccorso <carnil@debian.org> +Last-Update: 2017-09-13 + +--- a/src/sdpd-request.c ++++ b/src/sdpd-request.c +@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_r + /* continuation State exists -> get from cache */ + sdp_buf_t *pCache = sdp_get_cached_rsp(cstate); + if (pCache) { +- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); +- pResponse = pCache->data; +- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); +- buf->data_size += sent; +- cstate->cStateValue.maxBytesSent += sent; +- if (cstate->cStateValue.maxBytesSent == pCache->data_size) +- cstate_size = sdp_set_cstate_pdu(buf, NULL); +- else +- cstate_size = sdp_set_cstate_pdu(buf, cstate); ++ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) { ++ status = SDP_INVALID_CSTATE; ++ SDPDBG("Got bad cstate with invalid size"); ++ } else { ++ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); ++ pResponse = pCache->data; ++ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); ++ buf->data_size += sent; ++ cstate->cStateValue.maxBytesSent += sent; ++ if (cstate->cStateValue.maxBytesSent == pCache->data_size) ++ cstate_size = sdp_set_cstate_pdu(buf, NULL); ++ else ++ cstate_size = sdp_set_cstate_pdu(buf, cstate); ++ } + } else { + status = SDP_INVALID_CSTATE; + SDPDBG("Non-null continuation state, but null cache buffer"); |