SHA256
1
0
forked from pool/bluez
bluez/CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
Dirk Mueller 2ed80b1192 - update to 5.65:
* Fix issue with A2DP cache invalidation handling.
  * Fix issue with A2DP and not initialized SEP codec.
  * Fix issue with A2DP and multiple SetConfiguration to same SEP
  * Fix issue with AVRCP and not properly initialized volume.
  * Fix issue with SDP records when operating in LE only mode.
  * Fix issue with HoG and not reading report map of instances.
  * Fix issue with GATT server crashing while disconnecting.
  * Fix issue with not removing connected devices.
  * Fix issue with enabling wake support without RPA Resolution.
  * Fix issue with pairing failed due to the error of Already Paired.
  * Add support for CONFIGURATION_DIRECTORY environment variable.
  * Add support for STATE_DIRECTORY environment variable.
  * Add support for "Bonded" property with Device API.
  * Add experimental support for ISO socket.
- drop bluez-test-2to3.diff (obsolete/upstream)

OBS-URL: https://build.opensuse.org/package/show/Base:System/bluez?expand=0&rev=330
2022-08-17 20:39:29 +00:00

32 lines
1011 B
Diff

# Upstream suggests to use btmon instead of hcidump and does not want those patches
# => PATCH-FIX-OPENSUSE for those two :-)
# fix some memory leak with malformed packet (reported upstream but not yet fixed)
From 00f50518f232c758855ac9884a841f707f41a301 Mon Sep 17 00:00:00 2001
From: "Cho, Yu-Chen" <acho@suse.com>
Date: Thu, 3 May 2018 18:52:19 +0800
Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet
The Supported Commands is a 64 octet bit field.
Do not allow to read more then the size.
---
tools/parser/csr.c | 5 +++++
1 file changed, 5 insertions(+)
Index: bluez-5.65/tools/parser/csr.c
===================================================================
--- bluez-5.65.orig/tools/parser/csr.c
+++ bluez-5.65/tools/parser/csr.c
@@ -133,6 +133,11 @@ static inline void commands_dump(int lev
unsigned char commands[64];
unsigned int i;
+ if (frm->len > 64) {
+ perror("Read failed");
+ exit(1);
+ }
+
memcpy(commands, frm->ptr, frm->len);
p_indent(level, frm);