snappy-hwe-snaps

Merge ~kzapalowicz/snappy-hwe-snaps/+git/bluez:fix/cve-blueborne into ~snappy-hwe-team/snappy-hwe-snaps/+git/bluez:bluez/5.44

  1. Git
  2. lp:~kzapalowicz/snappy-hwe-snaps/+git/bluez
  3. fix/cve-blueborne
  4. Merge into bluez/5.44
Proposed by Konrad Zapałowicz
Status: Merged
Approved by: Simon Fels
Approved revision: bcf7b1d88537efed65728fcf9a0429b9949b5800
Merged at revision: d0561cbdc3dd0d711c67c05d8383d6fb5147cf91
Proposed branch: ~kzapalowicz/snappy-hwe-snaps/+git/bluez:fix/cve-blueborne
Merge into: ~snappy-hwe-team/snappy-hwe-snaps/+git/bluez:bluez/5.44
Diff against target: 34 lines (+14/-9)
1 file modified
src/sdpd-request.c (+14/-9)
Reviewer Review Type Date Requested Status
System Enablement Bot continuous-integration Approve
Simon Fels Approve
Review via email: mp+330677@code.launchpad.net

Description of the change

Fix CVE-2017-1000250

More details: https://www.armis.com/blueborne/, patch based on https://launchpadlibrarian.net/336654263/bluez_5.37-0ubuntu5_5.37-0ubuntu5.1.diff.gz

To post a comment you must log in.
Revision history for this message
Simon Fels (morphis) wrote :

LGTM

review: Approve
Revision history for this message
System Enablement Bot (system-enablement-ci-bot) wrote :

PASSED: Continuous integration, rev:bcf7b1d88537efed65728fcf9a0429b9949b5800
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/1948/
Executed test runs:
    SUCCESS: https://jenkins.canonical.com/system-enablement/job/generic-build-snap-worker/3431
    None: https://jenkins.canonical.com/system-enablement/job/generic-update-snap-mp/1857/console
    SUCCESS: https://jenkins.canonical.com/system-enablement/job/generic-test-snap/3688

Click here to trigger a rebuild:
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/1948/rebuild

review: Approve (continuous-integration)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/src/sdpd-request.c b/src/sdpd-request.c
2index 1eefdce..ddeea7f 100644
3--- a/src/sdpd-request.c
4+++ b/src/sdpd-request.c
5@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
6 /* continuation State exists -> get from cache */
7 sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
8 if (pCache) {
9- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
10- pResponse = pCache->data;
11- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
12- buf->data_size += sent;
13- cstate->cStateValue.maxBytesSent += sent;
14- if (cstate->cStateValue.maxBytesSent == pCache->data_size)
15- cstate_size = sdp_set_cstate_pdu(buf, NULL);
16- else
17- cstate_size = sdp_set_cstate_pdu(buf, cstate);
18+ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
19+ status = SDP_INVALID_CSTATE;
20+ SDPDBG("Got bad cstate with invalid size");
21+ } else {
22+ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
23+ pResponse = pCache->data;
24+ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
25+ buf->data_size += sent;
26+ cstate->cStateValue.maxBytesSent += sent;
27+ if (cstate->cStateValue.maxBytesSent == pCache->data_size)
28+ cstate_size = sdp_set_cstate_pdu(buf, NULL);
29+ else
30+ cstate_size = sdp_set_cstate_pdu(buf, cstate);
31+ }
32 } else {
33 status = SDP_INVALID_CSTATE;
34 SDPDBG("Non-null continuation state, but null cache buffer");

Subscribers

People subscribed via source and target branches