bluez/backport-CVE-2021-3588.patch

From 9e6889d3b9d8f4dcc1ba57e6345d1efb2fbe1e77 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Mon, 4 Jan 2021 10:41:53 -0800
Subject: [PATCH] gatt: Fix potential buffer out-of-bound

When client features is read check if the offset is within the cli_feat
bounds.

Fixes: https://github.com/bluez/bluez/issues/70

---
 src/gatt-database.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/gatt-database.c b/src/gatt-database.c
index c11d14b..a6530ba 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -1082,6 +1082,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
 		goto done;
 	}
 
+	if (offset >= sizeof(state->cli_feat)) {
+		ecode = BT_ATT_ERROR_INVALID_OFFSET;
+		goto done;
+	}
+
 	len = sizeof(state->cli_feat) - offset;
 	value = len ? &state->cli_feat[offset] : NULL;
 
-- 
2.23.0
fix CVE-2021-3588 2021-06-26 15:27:03 +08:00			`From 9e6889d3b9d8f4dcc1ba57e6345d1efb2fbe1e77 Mon Sep 17 00:00:00 2001`
			`From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>`
			`Date: Mon, 4 Jan 2021 10:41:53 -0800`
			`Subject: [PATCH] gatt: Fix potential buffer out-of-bound`

			`When client features is read check if the offset is within the cli_feat`
			`bounds.`

			`Fixes: https://github.com/bluez/bluez/issues/70`

			`---`
			`src/gatt-database.c \| 5 +++++`
			`1 file changed, 5 insertions(+)`

			`diff --git a/src/gatt-database.c b/src/gatt-database.c`
			`index c11d14b..a6530ba 100644`
			`--- a/src/gatt-database.c`
			`+++ b/src/gatt-database.c`
			`@@ -1082,6 +1082,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,`
			`goto done;`
			`}`

			`+ if (offset >= sizeof(state->cli_feat)) {`
			`+ ecode = BT_ATT_ERROR_INVALID_OFFSET;`
			`+ goto done;`
			`+ }`
			`+`
			`len = sizeof(state->cli_feat) - offset;`
			`value = len ? &state->cli_feat[offset] : NULL;`

			`--`
			`2.23.0`