File gatt-Fix-potential-buffer-out-of-bound.patch of Package bluez.25504
From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Mon, 4 Jan 2021 10:38:31 -0800
Subject: [PATCH] gatt: Fix potential buffer out-of-bound
When client features is read check if the offset is within the cli_feat
bounds.
Fixes: https://github.com/bluez/bluez/issues/70
---
src/gatt-database.c | 5 +++++
1 file changed, 5 insertions(+)
Index: bluez-5.55/src/gatt-database.c
===================================================================
--- bluez-5.55.orig/src/gatt-database.c
+++ bluez-5.55/src/gatt-database.c
@@ -1084,6 +1084,11 @@ static void cli_feat_read_cb(struct gatt
goto done;
}
+ if (offset >= sizeof(state->cli_feat)) {
+ ecode = BT_ATT_ERROR_INVALID_OFFSET;
+ goto done;
+ }
+
len = sizeof(state->cli_feat) - offset;
value = len ? &state->cli_feat[offset] : NULL;