bluez: fix CVE-2017-1000250

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
bluez: fix CVE-2017-1000250

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>

diff --git a/utils/bluez/Makefile b/utils/bluez/Makefile
index 0430cd6c1ae766f004d91ed06589850a8d1f6f82..46d0ba47b0f2cfc85a14bf30ef8ef9bb2211a6b3 100644 (file)
--- a/utils/bluez/Makefile
+++ b/utils/bluez/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bluez
 PKG_VERSION:=5.38
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@KERNEL/linux/bluetooth/

diff --git a/utils/bluez/patches/202-CVE-2017-1000250.patch b/utils/bluez/patches/202-CVE-2017-1000250.patch
new file mode 100644 (file)
index 0000000..3088b0e
--- /dev/null
+++ b/utils/bluez/patches/202-CVE-2017-1000250.patch
@@ -0,0 +1,13 @@
+diff --git a/src/sdpd-request.c b/src/sdpd-request.c
+index 1eefdce..318d044 100644
+--- a/src/sdpd-request.c
++++ b/src/sdpd-request.c
+@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
+       } else {
+               /* continuation State exists -> get from cache */
+               sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+-              if (pCache) {
++              if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) {
+                       uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+                       pResponse = pCache->data;
+                       memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);