From de79f4c749e02448eee6ef2658f8a1b4e0384373 Mon Sep 17 00:00:00 2001
From: Hirokazu MORIKAWA <morikw2@gmail.com>
Date: Wed, 27 Sep 2017 14:09:45 +0900
Subject: [PATCH] bluez: fix CVE-2017-1000250

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>

bluez: fix CVE-2017-1000250

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
---
 utils/bluez/Makefile                           |  2 +-
 utils/bluez/patches/202-CVE-2017-1000250.patch | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 utils/bluez/patches/202-CVE-2017-1000250.patch

diff --git a/utils/bluez/Makefile b/utils/bluez/Makefile
index 0430cd6c1a..46d0ba47b0 100644
--- a/utils/bluez/Makefile
+++ b/utils/bluez/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bluez
 PKG_VERSION:=5.38
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@KERNEL/linux/bluetooth/
diff --git a/utils/bluez/patches/202-CVE-2017-1000250.patch b/utils/bluez/patches/202-CVE-2017-1000250.patch
new file mode 100644
index 0000000000..3088b0ee24
--- /dev/null
+++ b/utils/bluez/patches/202-CVE-2017-1000250.patch
@@ -0,0 +1,13 @@
+diff --git a/src/sdpd-request.c b/src/sdpd-request.c
+index 1eefdce..318d044 100644
+--- a/src/sdpd-request.c
++++ b/src/sdpd-request.c
+@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
+ 	} else {
+ 		/* continuation State exists -> get from cache */
+ 		sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+-		if (pCache) {
++		if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) {
+ 			uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+ 			pResponse = pCache->data;
+ 			memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
-- 
2.30.2