Merge remote tracking branch fix/cve-bluebornebluez/5.44

Merge-Proposal: https://code.launchpad.net/~kzapalowicz/snappy-hwe-snaps/+git/bluez/+merge/330677

Author: Konrad Zapałowicz <konrad.zapalowicz@canonical.com>

Fix CVE-2017-1000250

More details: https://www.armis.com/blueborne/, patch based on https://launchpadlibrarian.net/336654263/bluez_5.37-0ubuntu5_5.37-0ubuntu5.1.diff.gz

1 files changed, 14 insertions, 9 deletions

diff --git a/src/sdpd-request.c b/src/sdpd-request.c
index 1eefdce..ddeea7f 100644
--- a/src/sdpd-request.c
+++ b/src/sdpd-request.c
@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 		/* continuation State exists -> get from cache */
 		sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
 		if (pCache) {
-			uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
-			pResponse = pCache->data;
-			memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
-			buf->data_size += sent;
-			cstate->cStateValue.maxBytesSent += sent;
-			if (cstate->cStateValue.maxBytesSent == pCache->data_size)
-				cstate_size = sdp_set_cstate_pdu(buf, NULL);
-			else
-				cstate_size = sdp_set_cstate_pdu(buf, cstate);
+			if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
+				status = SDP_INVALID_CSTATE;
+				SDPDBG("Got bad cstate with invalid size");
+			} else {
+				uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+				pResponse = pCache->data;
+				memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+				buf->data_size += sent;
+				cstate->cStateValue.maxBytesSent += sent;
+				if (cstate->cStateValue.maxBytesSent == pCache->data_size)
+					cstate_size = sdp_set_cstate_pdu(buf, NULL);
+				else
+					cstate_size = sdp_set_cstate_pdu(buf, cstate);
+			}
 		} else {
 			status = SDP_INVALID_CSTATE;
 			SDPDBG("Non-null continuation state, but null cache buffer");