* SECURITY UPDATE: Integer overflow in gatt server protocol could lead to
a heap overflow, resulting in denial of service or potential code
execution.
- debian/patches/CVE-2022-0204.patch: add length and offset validation in
write_cb function in src/shared/gatt-server.c.
- CVE-2022-0204
-- Ray Veldkamp <email address hidden> Fri, 04 Feb 2022 10:25:37 +1100
* SECURITY UPDATE: DoS via memory leak in sdp_cstate_alloc_buf
- debian/patches/CVE-2021-41229-pre1.patch: fix not checking if cstate
length in src/sdpd-request.c.
- debian/patches/CVE-2021-41229.patch: fix leaking buffers stored in
cstates cache in src/sdpd-request.c, src/sdpd-server.c, src/sdpd.h,
unit/test-sdp.c.
- CVE-2021-41229
* SECURITY UPDATE: use-after-free when client disconnects
- debian/patches/CVE-2021-43400-pre1.patch: send device and link
options with AcquireNotify in src/gatt-database.c.
- debian/patches/CVE-2021-43400-pre2.patch: fix Acquire* reply handling
in src/gatt-database.c.
- debian/patches/CVE-2021-43400-pre3.patch: no multiple calls to
AcquireWrite in src/gatt-database.c.
- debian/patches/CVE-2021-43400-pre4.patch: provide MTU in ReadValue
and WriteValue in src/gatt-database.c.
- debian/patches/CVE-2021-43400.patch: fix not cleaning up when
disconnected in src/gatt-database.c.
- CVE-2021-43400
-- Marc Deslauriers <email address hidden> Wed, 17 Nov 2021 10:52:30 -0500
6c7ec37...
by
Luiz Augusto von Dentz <email address hidden>
sdp: Fix buffer overflow
sdp_append_buf shall check if there is enough space to store the data
before copying it.
An independent security researcher, Julian Rauchberger, has reported
this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure
program.
9402eff...
by
Bernie Conrad <email address hidden>
gatt: Fix not cleaning up when disconnected
There is a current use after free possible on a gatt server if a client
disconnects while a WriteValue call is being processed with dbus.
This patch includes the addition of a pending disconnect callback to handle
cleanup better if a disconnect occurs during a write, an acquire write
or read operation using bt_att_register_disconnect with the cb.
This checks if an outstanding call to AcquireWrite is already in
progress. If so, the write request is placed into the queue, but
AcquireWrite is not called again. When a response to AcquireWrite is
received, acquire_write_reply sends all queued writes over the acquired
socket.
Making multiple simultaneous calls to AcquireWrite makes no sense,
as this would open multiple socket pairs and only the last returned
socket would be used for further writes.
70983a7...
by
Luiz Augusto von Dentz <email address hidden>
gatt: Fix Acquire* reply handling
Originally these operation did not set any owner_queue which caused
them to crash if the attribute is freed before the respose, to fix that
the reply will now check if owner_queue was reset to NULL which means
the attribute is no longer available but the owner_queue was never set
in the first place so this ensures they are now setup properly.
dfd3143...
by
Luiz Augusto von Dentz <email address hidden>
gatt: Send device and link options with AcquireNotify
This adds the device and link options to AcquireNotify as mentioned in
the documentation.
7042a39...
by
Luiz Augusto von Dentz <email address hidden>
sdpd: Fix leaking buffers stored in cstates cache
These buffer shall only be keep in cache for as long as they are
needed so this would cleanup any client cstates in the following
conditions:
- There is no cstate on the response
- No continuation can be found for cstate
- Different request opcode
- Respond with an error
- Client disconnect