Attachment 310250 Details for Bug 452715 – Patch for 3.7

[patch] Patch for 3.7

bluez-utils-3.7-sdp-vuln.patch (text/plain), 6.90 KB, created by Bastien Nocera on 2008-06-25 10:32:56 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Bastien Nocera

Created: 2008-06-25 10:32:56 UTC

Size: 6.90 KB

patch

obsolete

>diff -upr bluez-utils-3.7.old/hcid/dbus-sdp.c bluez-utils-3.7/hcid/dbus-sdp.c
>--- bluez-utils-3.7.old/hcid/dbus-sdp.c	2006-09-29 22:49:18.000000000 +0100
>+++ bluez-utils-3.7/hcid/dbus-sdp.c	2008-06-25 11:29:25.000000000 +0100
>@@ -586,7 +586,7 @@ static void remote_svc_rec_completed_cb(
> 	dbus_message_iter_open_container(&iter, DBUS_TYPE_ARRAY,
> 			DBUS_TYPE_BYTE_AS_STRING, &array_iter);
> 
>-	rec = sdp_extract_pdu(rsp, &scanned);
>+	rec = sdp_extract_pdu_safe(rsp, size, &scanned);
> 	if (rec == NULL) {
> 		error("SVC REC is null");
> 		goto done;
>@@ -1531,7 +1531,7 @@ static void get_rec_with_handle_comp_cb(
> 		goto failed;
> 	}
> 
>-	rec = sdp_extract_pdu(rsp, &scanned);
>+	rec = sdp_extract_pdu_safe(rsp, size, &scanned);
> 	if (!rec) {
> 		error("Service record is NULL");
> 		cb_err = EPROTO;
>diff -upr bluez-utils-3.7.old/sdpd/request.c bluez-utils-3.7/sdpd/request.c
>--- bluez-utils-3.7.old/sdpd/request.c	2006-08-24 17:29:39.000000000 +0100
>+++ bluez-utils-3.7/sdpd/request.c	2008-06-25 11:27:01.000000000 +0100
>@@ -64,8 +64,9 @@ static int extract_des(uint8_t *buf, int
> 	uint8_t dataType;
> 	int status = 0;
> 	const uint8_t *p;
>+	int bufsize;
> 
>-	scanned = sdp_extract_seqtype(buf, &seqType, &data_size);
>+	scanned = sdp_extract_seqtype_safe(buf, len, &seqType, &data_size);
> 
> 	SDPDBG("Seq type : %d\n", seqType);
> 	if (!scanned || (seqType != SDP_SEQ8 && seqType != SDP_SEQ16)) {
>@@ -73,12 +74,18 @@ static int extract_des(uint8_t *buf, int
> 		return -1;
> 	}
> 	p = buf + scanned;
>+	bufsize = len - scanned;
> 
> 	SDPDBG("Data size : %d\n", data_size);
> 	for (;;) {
> 		char *pElem = NULL;
> 		int localSeqLength = 0;
> 
>+		if (bufsize < sizeof(uint8_t)) {
>+			debug("->Unexpected end of buffer");
>+			return -1;
>+		}
>+
> 		dataType = *(uint8_t *)p;
> 		SDPDBG("Data type: 0x%02x\n", dataType);
> 
>@@ -96,27 +103,43 @@ static int extract_des(uint8_t *buf, int
> 		case SDP_UINT16:
> 			p += sizeof(uint8_t);
> 			seqlen += sizeof(uint8_t);
>+			bufsize -= sizeof(uint8_t);
>+			if (bufsize < sizeof(uint16_t)) {
>+				debug("->Unexpected end of buffer");
>+				return -1;
>+			}
>+
> 			pElem = malloc(sizeof(uint16_t));
> 			sdp_put_unaligned(ntohs(sdp_get_unaligned((uint16_t *)p)), (uint16_t *)pElem);
> 			p += sizeof(uint16_t);
> 			seqlen += sizeof(uint16_t);
>+			bufsize -= sizeof(uint16_t);
> 			break;
> 		case SDP_UINT32:
> 			p += sizeof(uint8_t);
> 			seqlen += sizeof(uint8_t);
>+			bufsize -= sizeof(uint8_t);
>+			if (bufsize < (int)sizeof(uint32_t)) {
>+				debug("->Unexpected end of buffer");
>+				return -1;
>+			}
>+
> 			pElem = malloc(sizeof(uint32_t));
> 			sdp_put_unaligned(ntohl(sdp_get_unaligned((uint32_t *)p)), (uint32_t *)pElem);
> 			p += sizeof(uint32_t);
> 			seqlen += sizeof(uint32_t);
>+			bufsize -= sizeof(uint32_t);
> 			break;
> 		case SDP_UUID16:
> 		case SDP_UUID32:
> 		case SDP_UUID128:
> 			pElem = malloc(sizeof(uuid_t));
>+			status = sdp_uuid_extract_safe(p, bufsize, (uuid_t *) pElem, &localSeqLength);
> 			status = sdp_uuid_extract(p, (uuid_t *)pElem, &localSeqLength);
> 			if (status == 0) {
> 				seqlen += localSeqLength;
> 				p += localSeqLength;
>+				bufsize -= localSeqLength;
> 			}
> 			break;
> 		default:
>diff -upr bluez-utils-3.7.old/sdpd/service.c bluez-utils-3.7/sdpd/service.c
>--- bluez-utils-3.7.old/sdpd/service.c	2006-02-03 03:38:47.000000000 +0000
>+++ bluez-utils-3.7/sdpd/service.c	2008-06-25 11:24:41.000000000 +0100
>@@ -44,7 +44,7 @@
> extern void update_db_timestamp(void);
> 
> // FIXME: refactor for server-side
>-static sdp_record_t *extract_pdu_server(bdaddr_t *device, uint8_t *p, uint32_t handleExpected, int *scanned)
>+static sdp_record_t *extract_pdu_server(bdaddr_t *device, uint8_t *p, int bufsize, uint32_t handleExpected, int *scanned)
> {
> 	int extractStatus = -1, localExtractedLength = 0;
> 	uint8_t dtd;
>@@ -54,13 +54,24 @@ static sdp_record_t *extract_pdu_server(
> 	sdp_data_t *pAttr = NULL;
> 	uint32_t handle = 0xffffffff;
> 
>-	*scanned = sdp_extract_seqtype(p, &dtd, &seqlen);
>+	*scanned = sdp_extract_seqtype_safe(p, &dtd, &seqlen);
> 	p += *scanned;
>+	bufsize -= *scanned;
>+
>+	if (bufsize < sizeof(uint8_t) + sizeof(uint8_t)) {
>+		debug("Unexpected end of packet");
>+		return NULL;
>+	}
>+
> 	lookAheadAttrId = ntohs(sdp_get_unaligned((uint16_t *) (p + sizeof(uint8_t))));
> 
> 	SDPDBG("Look ahead attr id : %d\n", lookAheadAttrId);
> 
> 	if (lookAheadAttrId == SDP_ATTR_RECORD_HANDLE) {
>+		if (bufsize < (sizeof(uint8_t) * 2) + sizeof(uint16_t) + sizeof(uint32_t)) {
>+			debug("Unexpected end of packet");
>+			return NULL;
>+		}
> 		handle = ntohl(sdp_get_unaligned((uint32_t *) (p +
> 				sizeof(uint8_t) + sizeof(uint16_t) +
> 				sizeof(uint8_t))));
>@@ -85,6 +96,11 @@ static sdp_record_t *extract_pdu_server(
> 		int attrSize = sizeof(uint8_t);
> 		int attrValueLength = 0;
> 
>+		if (bufsize < attrSize + sizeof(uint16_t)) {
>+			debug("Unexpected end of packet: Terminating extraction of attributes");
>+			break;
>+		}
>+
> 		SDPDBG("Extract PDU, sequenceLength: %d localExtractedLength: %d", seqlen, localExtractedLength);
> 		dtd = *(uint8_t *) p;
> 
>@@ -93,7 +109,8 @@ static sdp_record_t *extract_pdu_server(
> 		
> 		SDPDBG("DTD of attrId : %d Attr id : 0x%x \n", dtd, attrId);
> 
>-		pAttr = sdp_extract_attr(p + attrSize, &attrValueLength, rec);
>+		pAttr = sdp_extract_attr_safe(p + attrSize, bufsize - attrSize,
>+							&attrValueLength, rec);
> 
> 		SDPDBG("Attr id : 0x%x attrValueLength : %d\n", attrId, attrValueLength);
> 
>@@ -104,6 +121,7 @@ static sdp_record_t *extract_pdu_server(
> 		}
> 		localExtractedLength += attrSize;
> 		p += attrSize;
>+		bufsize -= attrSize;
> 		sdp_attr_replace(rec, attrId, pAttr);
> 		extractStatus = 0;
> 		SDPDBG("Extract PDU, seqLength: %d localExtractedLength: %d",
>@@ -128,16 +146,18 @@ int service_register_req(sdp_req_t *req,
> 	int scanned = 0;
> 	sdp_data_t *handle;
> 	uint8_t *p = req->buf + sizeof(sdp_pdu_hdr_t);
>+	int bufsize = req->len - sizeof(sdp_pdu_hdr_t);
> 	sdp_record_t *rec;
> 
> 	req->flags = *p++;
> 	if (req->flags & SDP_DEVICE_RECORD) {
> 		bacpy(&req->device, (bdaddr_t *) p);
> 		p += sizeof(bdaddr_t);
>+		bufsize -= sizeof(bdaddr_t);
> 	}
> 
> 	// save image of PDU: we need it when clients request this attribute
>-	rec = extract_pdu_server(&req->device, p, 0xffffffff, &scanned);
>+	rec = extract_pdu_server(&req->device, p, bufsize, 0xffffffff, &scanned);
> 	if (!rec)
> 		goto invalid;
> 
>@@ -190,6 +210,7 @@ int service_update_req(sdp_req_t *req, s
> 	sdp_record_t *orec;
> 	int status = 0, scanned = 0;
> 	uint8_t *p = req->buf + sizeof(sdp_pdu_hdr_t);
>+	int bufsize = req->len - sizeof(sdp_pdu_hdr_t);
> 	uint32_t handle = ntohl(sdp_get_unaligned((uint32_t *) p));
> 
> 	SDPDBG("");
>@@ -197,13 +218,14 @@ int service_update_req(sdp_req_t *req, s
> 	SDPDBG("Svc Rec Handle: 0x%x\n", handle);
> 
> 	p += sizeof(uint32_t);
>+	bufsize -= sizeof(uint32_t);
> 
> 	orec = sdp_record_find(handle);
> 
> 	SDPDBG("SvcRecOld: 0x%x\n", (uint32_t)orec);
> 
> 	if (orec) {
>-		sdp_record_t *nrec = extract_pdu_server(BDADDR_ANY, p, handle, &scanned);
>+		sdp_record_t *nrec = extract_pdu_server(BDADDR_ANY, p, bufsize, handle, &scanned);
> 		if (nrec && handle == nrec->handle)
> 			update_db_timestamp();
> 		else {

Actions: View | Diff

Attachments on bug 452715: 310163 | 310164 | 310247 | 310250 | 310333 | 310417