Issues the date: 2008-06-16
Renewal date: 2008-07-08
Is affected the system:
BlueZ BlueZ 3.34
Not affected system:
BlueZ BlueZ 3.35
Description:
--------------------------------------------------------------------------------
BUGTRAQ ID: 30105
CVE(CAN) ID: CVE-2008-2374
BlueZ is the official Linux blue tooth agreement stack.
The BlueZ SDP analysis code trusted blindly has input in the SDP text character string length field, if the long-distance aggressor has transmitted malicious response to the SDP inquiry, might trigger the buffer overflow, caused to refuse to serve or the execution random code.
The following is in the bluez-libs-3.30/src/sdp.c document crack code section:
972 static sdp_data_t *extract_str (const void *p, int *len)
973 {
974 char *s;
975 int n;
976 sdp_data_t *d = malloc(sizeof(sdp_data_t));
977
978 memset (d, 0, sizeof(sdp_data_t));
979 d->dtd = * (uint8_t *) p;
980 p += sizeof(uint8_t);
981 *len += sizeof(uint8_t);
982
983 switch (d->dtd) {
984 case SDP_TEXT_STR8:
985 case SDP_URL_STR8:
986 n = * (uint8_t *) p; // <-- from the incoming packet
987 p += sizeof(uint8_t);
988 *len += sizeof(uint8_t) + n; // <-- blindly
trusted here, may advance parser past end of packet
989 break;
990 case SDP_TEXT_STR16:
991 case SDP_URL_STR16:
992 n = ntohs (bt_get_unaligned ((uint16_t *) p)); //
<-- from the incoming packet
993 p += sizeof(uint16_t);
994 *len += sizeof(uint16_t) + n; // <-- blindly
trusted here, may advance parser past end of packet
995 break;
996 default:
997 SDPERR (“Sizeof text string > UINT16_MAX \ n”);
998 free(d);
Other pages: : 1 * 2 * Next>>
|