From patchwork Wed Sep 13 12:19:55 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Korsgaard <peter@korsgaard.com>
X-Patchwork-Id: 813410
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=busybox.net
	(client-ip=140.211.166.138; helo=whitealder.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="d4CBGMQN"; dkim-atps=neutral
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3xsgjB36BDz9rxl
	for <incoming@patchwork.ozlabs.org>;
	Wed, 13 Sep 2017 22:20:14 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id 2E93488886;
	Wed, 13 Sep 2017 12:20:09 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id YxwiYqzOtXE6; Wed, 13 Sep 2017 12:20:06 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by whitealder.osuosl.org (Postfix) with ESMTP id CCADF887A9;
	Wed, 13 Sep 2017 12:20:06 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	by ash.osuosl.org (Postfix) with ESMTP id A795F1C3F96
	for <buildroot@lists.busybox.net>;
	Wed, 13 Sep 2017 12:20:05 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id A10B98610F
	for <buildroot@lists.busybox.net>;
	Wed, 13 Sep 2017 12:20:05 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id OZb7B4fidDZb for <buildroot@lists.busybox.net>;
	Wed, 13 Sep 2017 12:20:05 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wr0-f196.google.com (mail-wr0-f196.google.com
	[209.85.128.196])
	by hemlock.osuosl.org (Postfix) with ESMTPS id 8F9F385EFF
	for <buildroot@buildroot.org>; Wed, 13 Sep 2017 12:20:04 +0000 (UTC)
Received: by mail-wr0-f196.google.com with SMTP id b9so32808wra.0
	for <buildroot@buildroot.org>; Wed, 13 Sep 2017 05:20:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id;
	bh=O5SroFNE+H1Z/fgafMwUlwr9/s/KWxnW9MUkxUNuES4=;
	b=d4CBGMQN4ZxcxKshw5AS1C5zG5RERXIL0qc6jSvgcun2s15HPE/loo1xen1NTqNiNk
	cwDiZ8zDjDr4GSPhDRteHR6OOiJwu1RN14ELL/Z8XZ2lytpzaWUcjO6sQmpnHp64w6kB
	qUWpZvBcMkCQVxiTzfjo5mq+JP+SXNm2CDqpgGJzMiU4304/IMtBOF6iC+C6SBYsO6ke
	SiyFUe1J/YcvPixBiVmBuSVS3FH26mZLjhYOapqTWmxH+7dS5Q4Dhg628gt50mmpbv+0
	rfQYkMjrRcBvICcWAH1fKQL4yZ/lrdsBvD23lEO1kihpHE24V9SpJZEvbz5+t73Vgyc4
	iuuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
	bh=O5SroFNE+H1Z/fgafMwUlwr9/s/KWxnW9MUkxUNuES4=;
	b=KQqIFkw4GVE/t8vYTZCgSDK74V2q/IgEQaK/zKUhc1MtMzez6URbt4ACWV1KIxrX7y
	YYelH5FP6UtRgnukk/BBkfmIlfDtdmdPIiSTt2tm2BycKYTQEn7k18DQ2HLFcgCDNN2q
	DU1JjP8dvZU5DnUAG4ab5pPfZghb9iY9mlinDVPjT2GIotwlZ7VXHk3NctuOfPXnBWFA
	W18bISWLaIEVuN1YjEP4BqHdm/89Euw07UVo6YFBqkdPTkPsBlwIfCkOGI2N6sYXuPUw
	RsbH1H9ywVCnTwJEtPRKSILu/D5Zgrap0NI+hAQY77VawYLSnMFWapwwCTIgxqqDqVfy
	a9FQ==
X-Gm-Message-State: AHPjjUiWw4hg9ENlkuSM0/L7f2+xIKtu0o+kCTd5H3KhoxGzGXCD1as2
	l7D1vqwvE3QImoDo2q4=
X-Google-Smtp-Source: 
 ADKCNb6TSD8wV+pTf6VARPQ8gnwI6pk9PppaXeejyzbLkoIe36JyrhcWEZPF7ruBZphvlxb3dSp1aQ==
X-Received: by 10.223.174.227 with SMTP id
	y90mr15506760wrc.205.1505305202600;
	Wed, 13 Sep 2017 05:20:02 -0700 (PDT)
Received: from dell.be.48ers.dk ([91.183.172.93])
	by smtp.gmail.com with ESMTPSA id
	f43sm16310620wra.79.2017.09.13.05.20.01
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Wed, 13 Sep 2017 05:20:01 -0700 (PDT)
Received: from peko by dell.be.48ers.dk with local (Exim 4.88)
	(envelope-from <peko@dell.be.48ers.dk>)
	id 1ds6e8-0005XP-Re; Wed, 13 Sep 2017 14:20:00 +0200
From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Date: Wed, 13 Sep 2017 14:19:55 +0200
Message-Id: <20170913121955.21236-1-peter@korsgaard.com>
X-Mailer: git-send-email 2.11.0
Subject: [Buildroot] [PATCH] bluez5_utils: add upstream security fix for
	CVE-2017-1000250
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Fixes CVE-2017-1000250 - All versions of the SDP server in BlueZ 5.46 and
earlier are vulnerable to an information disclosure vulnerability which
allows remote attackers to obtain sensitive information from the bluetoothd
process memory.  This vulnerability lies in the processing of SDP search
attribute requests.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...-of-bounds-heap-read-in-service_search_at.patch | 29 ++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 package/bluez5_utils/0002-sdp-Fix-Out-of-bounds-heap-read-in-service_search_at.patch

diff --git a/package/bluez5_utils/0002-sdp-Fix-Out-of-bounds-heap-read-in-service_search_at.patch b/package/bluez5_utils/0002-sdp-Fix-Out-of-bounds-heap-read-in-service_search_at.patch
new file mode 100644
index 0000000000..a73c372e68
--- /dev/null
+++ b/package/bluez5_utils/0002-sdp-Fix-Out-of-bounds-heap-read-in-service_search_at.patch
@@ -0,0 +1,29 @@
+From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Wed, 13 Sep 2017 10:01:40 +0300
+Subject: [PATCH] sdp: Fix Out-of-bounds heap read in service_search_attr_req
+ function
+
+Check if there is enough data to continue otherwise return an error.
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/sdpd-request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sdpd-request.c b/src/sdpd-request.c
+index 1eefdce1a..318d04467 100644
+--- a/src/sdpd-request.c
++++ b/src/sdpd-request.c
+@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
+ 	} else {
+ 		/* continuation State exists -> get from cache */
+ 		sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+-		if (pCache) {
++		if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) {
+ 			uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+ 			pResponse = pCache->data;
+ 			memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+-- 
+2.11.0
+