An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys.
Information disclosure vulnerability due to out-of-bounds heap read in service_search_attr_req function when processing of incoming requests in the SDP server was found. Unauthenticated attacker can exploit this vulnerability to read potentially sensitive data from heap of the bluetoothd process.
Vulnerable code:
...
} else {
/* continuation State exists -> get from cache */
sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
if (pCache) {
uint16_t sent = MIN(max, pCache->data_size -
cstate->cStateValue.maxBytesSent);
pResponse = pCache->data;
memcpy(buf->data,
pResponse + cstate->cStateValue.maxBytesSent,
sent);
buf->data_size += sent;
cstate->cStateValue.maxBytesSent += sent;
if (cstate->cStateValue.maxBytesSent == pCache->data_size)
cstate_size = sdp_set_cstate_pdu(buf, NULL);
else
cstate_size = sdp_set_cstate_pdu(buf, cstate);
} else {
status = SDP_INVALID_CSTATE;
SDPDBG("Non-null continuation state, but null cache buffer");
}
}
...
When a long response is returned to a specific search attribute request, a continuation state is returned to allow reception of additional fragments, via additional requests that contain the last continuation state sent. However, the incoming “cstate” that requests additional fragments isn’t validated properly, and thus an out-of-bounds read of the response buffer (pResponse) can be achieved, leading to information disclosure of the heap.
Information disclosure vulnerability due to out-of-bounds heap read in service_search_attr_req function when processing of incoming requests in the SDP server was found. Unauthenticated attacker can exploit this vulnerability to read potentially sensitive data from heap of the bluetoothd process. Vulnerable code: ... } else { /* continuation State exists -> get from cache */ sdp_buf_t *pCache = sdp_get_cached_rsp(cstate); if (pCache) { uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); pResponse = pCache->data; memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); buf->data_size += sent; cstate->cStateValue.maxBytesSent += sent; if (cstate->cStateValue.maxBytesSent == pCache->data_size) cstate_size = sdp_set_cstate_pdu(buf, NULL); else cstate_size = sdp_set_cstate_pdu(buf, cstate); } else { status = SDP_INVALID_CSTATE; SDPDBG("Non-null continuation state, but null cache buffer"); } } ... When a long response is returned to a specific search attribute request, a continuation state is returned to allow reception of additional fragments, via additional requests that contain the last continuation state sent. However, the incoming “cstate” that requests additional fragments isn’t validated properly, and thus an out-of-bounds read of the response buffer (pResponse) can be achieved, leading to information disclosure of the heap.