summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSystem Enablement CI Bot <ce-system-enablement@lists.canonical.com>2017-09-13 14:57:30 (GMT)
committerSystem Enablement CI Bot <ce-system-enablement@lists.canonical.com>2017-09-13 14:57:30 (GMT)
commitd0561cbdc3dd0d711c67c05d8383d6fb5147cf91 (patch)
tree4295a2465ca2078160ca3d7ba02d5b5d61a8b434
parent8185885d719294342d90f8a8e3e95811c2b92615 (diff)
parentbcf7b1d88537efed65728fcf9a0429b9949b5800 (diff)
Merge remote tracking branch fix/cve-bluebornebluez/5.44
Merge-Proposal: https://code.launchpad.net/~kzapalowicz/snappy-hwe-snaps/+git/bluez/+merge/330677 Author: Konrad ZapaƂowicz <konrad.zapalowicz@canonical.com> Fix CVE-2017-1000250 More details: https://www.armis.com/blueborne/, patch based on https://launchpadlibrarian.net/336654263/bluez_5.37-0ubuntu5_5.37-0ubuntu5.1.diff.gz
-rw-r--r--src/sdpd-request.c23
1 files changed, 14 insertions, 9 deletions
diff --git a/src/sdpd-request.c b/src/sdpd-request.c
index 1eefdce..ddeea7f 100644
--- a/src/sdpd-request.c
+++ b/src/sdpd-request.c
@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
/* continuation State exists -> get from cache */
sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
if (pCache) {
- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
- pResponse = pCache->data;
- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
- buf->data_size += sent;
- cstate->cStateValue.maxBytesSent += sent;
- if (cstate->cStateValue.maxBytesSent == pCache->data_size)
- cstate_size = sdp_set_cstate_pdu(buf, NULL);
- else
- cstate_size = sdp_set_cstate_pdu(buf, cstate);
+ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
+ status = SDP_INVALID_CSTATE;
+ SDPDBG("Got bad cstate with invalid size");
+ } else {
+ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+ pResponse = pCache->data;
+ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+ buf->data_size += sent;
+ cstate->cStateValue.maxBytesSent += sent;
+ if (cstate->cStateValue.maxBytesSent == pCache->data_size)
+ cstate_size = sdp_set_cstate_pdu(buf, NULL);
+ else
+ cstate_size = sdp_set_cstate_pdu(buf, cstate);
+ }
} else {
status = SDP_INVALID_CSTATE;
SDPDBG("Non-null continuation state, but null cache buffer");