File avdtp-Fix-accepting-invalid-malformed-capabilities.patch of Package bluez.40578

From 7a80d2096f1b7125085e21448112aa02f49f5e9a Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Thu, 29 Apr 2021 17:10:50 -0700
Subject: [PATCH] avdtp: Fix accepting invalid/malformed capabilities

Check if capabilities are valid before attempting to copy them.

Joey Lee:
Add #include "src/shared/util.h". Originally it be added by
"aabaa70200f2 audio/avdtp: Use bitfield id generation" patch since
bluez 5.29.
---
 profiles/audio/avdtp.c | 56 +++++++++++++++++++++++++++---------------
 1 file changed, 36 insertions(+), 20 deletions(-)

Index: bluez-5.13/profiles/audio/avdtp.c
===================================================================
--- bluez-5.13.orig/profiles/audio/avdtp.c
+++ bluez-5.13/profiles/audio/avdtp.c
@@ -42,6 +42,7 @@
 #include <btio/btio.h>
 
 #include "log.h"
+#include "src/shared/util.h"
 
 #include "lib/uuid.h"
 #include "src/adapter.h"
@@ -1277,43 +1278,53 @@ struct avdtp_remote_sep *avdtp_find_remo
 	return NULL;
 }
 
-static GSList *caps_to_list(uint8_t *data, int size,
+static GSList *caps_to_list(uint8_t *data, size_t size,
 				struct avdtp_service_capability **codec,
 				gboolean *delay_reporting)
 {
+	struct avdtp_service_capability *cap;
 	GSList *caps;
-	int processed;
 
 	if (delay_reporting)
 		*delay_reporting = FALSE;
 
-	for (processed = 0, caps = NULL; processed + 2 <= size;) {
-		struct avdtp_service_capability *cap;
-		uint8_t length, category;
+	if (size < sizeof(*cap))
+		return NULL;
 
-		category = data[0];
-		length = data[1];
+	for (caps = NULL; size >= sizeof(*cap);) {
+		struct avdtp_service_capability *cpy;
 
-		if (processed + 2 + length > size) {
+		cap = (struct avdtp_service_capability *)data;
+
+		if (sizeof(*cap) + cap->length >= size) {
 			error("Invalid capability data in getcap resp");
 			break;
 		}
 
-		cap = g_malloc(sizeof(struct avdtp_service_capability) +
-					length);
-		memcpy(cap, data, 2 + length);
-
-		processed += 2 + length;
-		data += 2 + length;
-
-		caps = g_slist_append(caps, cap);
-
-		if (category == AVDTP_MEDIA_CODEC &&
-				length >=
-				sizeof(struct avdtp_media_codec_capability))
-			*codec = cap;
-		else if (category == AVDTP_DELAY_REPORTING && delay_reporting)
-			*delay_reporting = TRUE;
+		if (cap->category == AVDTP_MEDIA_CODEC &&
+					cap->length < sizeof(**codec)) {
+			error("Invalid codec data in getcap resp");
+			break;
+		}
+
+		cpy = btd_malloc(sizeof(*cpy) + cap->length);
+		memcpy(cpy, cap, sizeof(*cap) + cap->length);
+
+		size -= sizeof(*cap) + cap->length;
+		data += sizeof(*cap) + cap->length;
+
+		caps = g_slist_append(caps, cpy);
+
+		switch (cap->category) {
+		case AVDTP_MEDIA_CODEC:
+			if (codec)
+				*codec = cap;
+			break;
+		case AVDTP_DELAY_REPORTING:
+			if (delay_reporting)
+				*delay_reporting = TRUE;
+			break;
+		}
 	}
 
 	return caps;
@@ -1504,6 +1515,12 @@ static gboolean avdtp_setconf_cmd(struct
 					&stream->codec,
 					&stream->delay_reporting);
 
+	if (!stream->caps || !stream->codec) {
+		err = AVDTP_UNSUPPORTED_CONFIGURATION;
+		category = 0x00;
+		goto failed_stream;
+	}
+
 	/* Verify that the Media Transport capability's length = 0. Reject otherwise */
 	for (l = stream->caps; l != NULL; l = g_slist_next(l)) {
 		struct avdtp_service_capability *cap = l->data;
openSUSE Build Service is sponsored by