Skip to content
Permalink
Browse files Browse the repository at this point in the history
shared/gatt-server: Fix heap overflow when appending prepare writes
The code shall check if the prepare writes would append more the
allowed maximum attribute length.

Fixes GHSA-479m-xcq5-9g2q
  • Loading branch information
Vudentz committed Nov 12, 2021
1 parent e79417e commit 591c546
Showing 1 changed file with 22 additions and 0 deletions.
22 changes: 22 additions & 0 deletions src/shared/gatt-server.c
Expand Up @@ -779,6 +779,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server,
server->authorize_data);
}

static uint8_t check_length(uint16_t length, uint16_t offset)
{
if (length > BT_ATT_MAX_VALUE_LEN)
return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;

if (offset > BT_ATT_MAX_VALUE_LEN)
return BT_ATT_ERROR_INVALID_OFFSET;

if (length + offset > BT_ATT_MAX_VALUE_LEN)
return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;

return 0;
}

static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
uint16_t length, void *user_data)
{
Expand Down Expand Up @@ -809,6 +823,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
handle);

ecode = check_length(length, 0);
if (ecode)
goto error;

ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
if (ecode)
goto error;
Expand Down Expand Up @@ -1299,6 +1317,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
util_debug(server->debug_callback, server->debug_data,
"Prep Write Req - handle: 0x%04x", handle);

ecode = check_length(length, offset);
if (ecode)
goto error;

ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
if (ecode)
goto error;
Expand Down

0 comments on commit 591c546

Please sign in to comment.