snappy-hwe-snaps

~alfonsosanchezbeato/snappy-hwe-snaps/+git/bluez:cve-fixes

  1. Git
  2. lp:~alfonsosanchezbeato/snappy-hwe-snaps/+git/bluez
  3. cve-fixes
Last commit made on 2022-02-10
Get this branch:
git clone -b cve-fixes https://git.launchpad.net/~alfonsosanchezbeato/snappy-hwe-snaps/+git/bluez
Only Alfonso Sanchez-Beato can upload to this branch. If you are Alfonso Sanchez-Beato please log in for upload directions.

Branch merges

Branch information

Name:
cve-fixes
Repository:
lp:~alfonsosanchezbeato/snappy-hwe-snaps/+git/bluez

Recent commits

92c238d... by Luiz Augusto von Dentz <email address hidden>

shared/gatt-server: Fix heap overflow when appending prepare

The code shall check if the prepare writes would append more the
allowed maximum attribute length.

Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q

6c7ec37... by Luiz Augusto von Dentz <email address hidden>

sdp: Fix buffer overflow

sdp_append_buf shall check if there is enough space to store the data
before copying it.

An independent security researcher, Julian Rauchberger, has reported
this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure
program.

9402eff... by Bernie Conrad <email address hidden>

gatt: Fix not cleaning up when disconnected

There is a current use after free possible on a gatt server if a client
disconnects while a WriteValue call is being processed with dbus.

This patch includes the addition of a pending disconnect callback to handle
cleanup better if a disconnect occurs during a write, an acquire write
or read operation using bt_att_register_disconnect with the cb.

0c28c0a... by David Krauser

gatt: provide MTU in ReadValue and WriteValue

This includes the MTU value in ReadValue and WriteValue when acting as
a server.

Note: The actual data can be bigger than the MTU in case of WriteValue
in case of Long Value is written with Prepare + Execute.

4f60289... by Sebastian Urban

gatt-database: No multiple calls to AcquireWrite

This checks if an outstanding call to AcquireWrite is already in
progress. If so, the write request is placed into the queue, but
AcquireWrite is not called again. When a response to AcquireWrite is
received, acquire_write_reply sends all queued writes over the acquired
socket.

Making multiple simultaneous calls to AcquireWrite makes no sense,
as this would open multiple socket pairs and only the last returned
socket would be used for further writes.

70983a7... by Luiz Augusto von Dentz <email address hidden>

gatt: Fix Acquire* reply handling

Originally these operation did not set any owner_queue which caused
them to crash if the attribute is freed before the respose, to fix that
the reply will now check if owner_queue was reset to NULL which means
the attribute is no longer available but the owner_queue was never set
in the first place so this ensures they are now setup properly.

dfd3143... by Luiz Augusto von Dentz <email address hidden>

gatt: Send device and link options with AcquireNotify

This adds the device and link options to AcquireNotify as mentioned in
the documentation.

7042a39... by Luiz Augusto von Dentz <email address hidden>

sdpd: Fix leaking buffers stored in cstates cache

These buffer shall only be keep in cache for as long as they are
needed so this would cleanup any client cstates in the following
conditions:

 - There is no cstate on the response
 - No continuation can be found for cstate
 - Different request opcode
 - Respond with an error
 - Client disconnect

Fixes: https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq

dc370f9... by Luiz Augusto von Dentz <email address hidden>

sdp: Fix not checking if cstate length

cstate length should be smaller than cached length otherwise the
request shall be considered invalid as the data is not within the
cached buffer.

An independent security researcher, Julian Rauchberger, has reported
this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure
program.

6d8e747... by Luiz Augusto von Dentz <email address hidden>

shared/att: Fix possible crash on disconnect

If there are pending request while disconnecting they would be notified
but clients may endup being freed in the proccess which will then be
calling bt_att_cancel to cancal its requests causing the following
trace:

Invalid read of size 4
   at 0x1D894C: enable_ccc_callback (gatt-client.c:1627)
   by 0x1D247B: disc_att_send_op (att.c:417)
   by 0x1CCC17: queue_remove_all (queue.c:354)
   by 0x1D47B7: disconnect_cb (att.c:635)
   by 0x1E0707: watch_callback (io-glib.c:170)
   by 0x48E963B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6400.4)
   by 0x48E9AC7: ??? (in /usr/lib/libglib-2.0.so.0.6400.4)
   by 0x48E9ECF: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6400.4)
   by 0x1E0E97: mainloop_run (mainloop-glib.c:79)
   by 0x1E13B3: mainloop_run_with_signal (mainloop-notify.c:201)
   by 0x12BC3B: main (main.c:770)
 Address 0x7d40a28 is 24 bytes inside a block of size 32 free'd
   at 0x484A2E0: free (vg_replace_malloc.c:540)
   by 0x1CCC17: queue_remove_all (queue.c:354)
   by 0x1CCC83: queue_destroy (queue.c:73)
   by 0x1D7DD7: bt_gatt_client_free (gatt-client.c:2209)
   by 0x16497B: batt_free (battery.c:77)
   by 0x16497B: batt_remove (battery.c:286)
   by 0x1A0013: service_remove (service.c:176)
   by 0x1A9B7B: device_remove_gatt_service (device.c:3691)
   by 0x1A9B7B: gatt_service_removed (device.c:3805)
   by 0x1CC90B: queue_foreach (queue.c:220)
   by 0x1DE27B: notify_service_changed.isra.0.part.0 (gatt-db.c:369)
   by 0x1DE387: notify_service_changed (gatt-db.c:361)
   by 0x1DE387: gatt_db_service_destroy (gatt-db.c:385)
   by 0x1DE3EF: gatt_db_remove_service (gatt-db.c:519)
   by 0x1D674F: discovery_op_complete (gatt-client.c:388)
   by 0x1D6877: discover_primary_cb (gatt-client.c:1260)
   by 0x1E220B: discovery_op_complete (gatt-helpers.c:628)
   by 0x1E249B: read_by_grp_type_cb (gatt-helpers.c:730)
   by 0x1D247B: disc_att_send_op (att.c:417)
   by 0x1CCC17: queue_remove_all (queue.c:354)
   by 0x1D47B7: disconnect_cb (att.c:635)