| Message ID | 20210104184153.3218489-1-luiz.dentz@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [BlueZ] gatt: Fix potential buffer out-of-bound | expand |
Hi, On Mon, Jan 4, 2021 at 10:57 AM <bluez.test.bot@gmail.com> wrote: > > This is automated email and please do not reply to this email! > > Dear submitter, > > Thank you for submitting the patches to the linux bluetooth mailing list. > This is a CI test results with your patch series: > PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=408793 > > ---Test result--- > > ############################## > Test: CheckPatch - PASS > > ############################## > Test: CheckGitLint - PASS > > ############################## > Test: CheckBuild - PASS > > ############################## > Test: MakeCheck - PASS > > > > --- > Regards, > Linux Bluetooth Pushed.
diff --git a/src/gatt-database.c b/src/gatt-database.c index 90cc4bade..f2d7b5821 100644 --- a/src/gatt-database.c +++ b/src/gatt-database.c @@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib, goto done; } + if (offset >= sizeof(state->cli_feat)) { + ecode = BT_ATT_ERROR_INVALID_OFFSET; + goto done; + } + len = sizeof(state->cli_feat) - offset; value = len ? &state->cli_feat[offset] : NULL;
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> When client features is read check if the offset is within the cli_feat bounds. Fixes: https://github.com/bluez/bluez/issues/70 --- src/gatt-database.c | 5 +++++ 1 file changed, 5 insertions(+)