From 63137fd54075adae2f65309ee0aea0087c0d972d Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Tue, 8 Jun 2021 16:46:49 -0700 Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare writes The code shall check if the prepare writes would append more the allowed maximum attribute length. Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q Signed-off-by: Anuj Jain Signed-off-by: Ayush Garg --- src/shared/gatt-server.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c index 22f7ef30..0135b5c3 100644 --- a/src/shared/gatt-server.c +++ b/src/shared/gatt-server.c @@ -792,6 +792,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server, server->authorize_data); } +static uint8_t check_length(uint16_t length, uint16_t offset) +{ + if (length > BT_ATT_MAX_VALUE_LEN) + return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN; + + if (offset > BT_ATT_MAX_VALUE_LEN) + return BT_ATT_ERROR_INVALID_OFFSET; + + if (length + offset > BT_ATT_MAX_VALUE_LEN) + return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN; + + return 0; +} + static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, uint16_t length, void *user_data) { @@ -822,6 +836,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd", handle); + ecode = check_length(length, 0); + if (ecode) + goto error; + ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); if (ecode) goto error; @@ -1325,6 +1343,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, util_debug(server->debug_callback, server->debug_data, "Prep Write Req - handle: 0x%04x", handle); + ecode = check_length(length, offset); + if (ecode) + goto error; + ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); if (ecode) goto error; -- 2.34.1