guix/gnu/packages/patches/bluez-CVE-2017-1000250.patch

Description: CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req
Origin: vendor
Bug-Debian: https://bugs.debian.org/875633
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1489446
Bug-SuSE: https://bugzilla.suse.com/show_bug.cgi?id=1057342
Forwarded: no
Author: Armis Security <security@armis.com>
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2017-09-13

--- a/src/sdpd-request.c
+++ b/src/sdpd-request.c
@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_r
 		/* continuation State exists -> get from cache */
 		sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
 		if (pCache) {
-			uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
-			pResponse = pCache->data;
-			memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
-			buf->data_size += sent;
-			cstate->cStateValue.maxBytesSent += sent;
-			if (cstate->cStateValue.maxBytesSent == pCache->data_size)
-				cstate_size = sdp_set_cstate_pdu(buf, NULL);
-			else
-				cstate_size = sdp_set_cstate_pdu(buf, cstate);
+			if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
+				status = SDP_INVALID_CSTATE;
+				SDPDBG("Got bad cstate with invalid size");
+			} else {
+				uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+				pResponse = pCache->data;
+				memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+				buf->data_size += sent;
+				cstate->cStateValue.maxBytesSent += sent;
+				if (cstate->cStateValue.maxBytesSent == pCache->data_size)
+					cstate_size = sdp_set_cstate_pdu(buf, NULL);
+				else
+					cstate_size = sdp_set_cstate_pdu(buf, cstate);
+			}
 		} else {
 			status = SDP_INVALID_CSTATE;
 			SDPDBG("Non-null continuation state, but null cache buffer");
gnu: bluez: Add replacement to fix CVE-2017-1000250. * gnu/packages/patches/bluez-CVE-2017-1000250.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/linux.scm (bluez)[replacement]: New field. (bluez/fixed): New variable. 2017-09-13 10:30:47 -04:00			`Description: CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req`
			`Origin: vendor`
			`Bug-Debian: https://bugs.debian.org/875633`
			`Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1489446`
			`Bug-SuSE: https://bugzilla.suse.com/show_bug.cgi?id=1057342`
			`Forwarded: no`
			`Author: Armis Security <security@armis.com>`
			`Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>`
			`Last-Update: 2017-09-13`

			`--- a/src/sdpd-request.c`
			`+++ b/src/sdpd-request.c`
			`@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_r`
			`/* continuation State exists -> get from cache */`
			`sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);`
			`if (pCache) {`
			`- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);`
			`- pResponse = pCache->data;`
			`- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);`
			`- buf->data_size += sent;`
			`- cstate->cStateValue.maxBytesSent += sent;`
			`- if (cstate->cStateValue.maxBytesSent == pCache->data_size)`
			`- cstate_size = sdp_set_cstate_pdu(buf, NULL);`
			`- else`
			`- cstate_size = sdp_set_cstate_pdu(buf, cstate);`
			`+ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {`
			`+ status = SDP_INVALID_CSTATE;`
			`+ SDPDBG("Got bad cstate with invalid size");`
			`+ } else {`
			`+ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);`
			`+ pResponse = pCache->data;`
			`+ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);`
			`+ buf->data_size += sent;`
			`+ cstate->cStateValue.maxBytesSent += sent;`
			`+ if (cstate->cStateValue.maxBytesSent == pCache->data_size)`
			`+ cstate_size = sdp_set_cstate_pdu(buf, NULL);`
			`+ else`
			`+ cstate_size = sdp_set_cstate_pdu(buf, cstate);`
			`+ }`
			`} else {`
			`status = SDP_INVALID_CSTATE;`
			`SDPDBG("Non-null continuation state, but null cache buffer");`