1 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
new file mode 100644
index 0000000000..f52ff47a06
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
@@ -0,0 +1,34 @@
+From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Mon, 4 Jan 2021 10:38:31 -0800
+Subject: [PATCH] gatt: Fix potential buffer out-of-bound
+When client features is read check if the offset is within the cli_feat
+bounds.
+Fixes: https://github.com/bluez/bluez/issues/70
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a]
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+CVE: CVE-2021-3588
+---
+ src/gatt-database.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/src/gatt-database.c b/src/gatt-database.c
+index 90cc4bade..f2d7b5821 100644
+--- a/src/gatt-database.c
+++ b/src/gatt-database.c
+@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
+                goto done;
+        }
+ 
+       if (offset >= sizeof(state->cli_feat)) {
+               ecode = BT_ATT_ERROR_INVALID_OFFSET;
+               goto done;
+       }
+
+        len = sizeof(state->cli_feat) - offset;
+        value = len ? &state->cli_feat[offset] : NULL;
+

diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch new file mode 100644 index 0000000000..f52ff47a06 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
@@ -0,0 +1,34 @@
	1	From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001
	2	From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	3	Date: Mon, 4 Jan 2021 10:38:31 -0800
	4	Subject: [PATCH] gatt: Fix potential buffer out-of-bound
	5
	6	When client features is read check if the offset is within the cli_feat
	7	bounds.
	8
	9	Fixes: https://github.com/bluez/bluez/issues/70
	10
	11	+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a]
	12	+Signed-off-by: Steve Sakoman <steve@sakoman.com>
	13	+CVE: CVE-2021-3588
	14
	15	---
	16	src/gatt-database.c \| 5 +++++
	17	1 file changed, 5 insertions(+)
	18
	19	diff --git a/src/gatt-database.c b/src/gatt-database.c
	20	index 90cc4bade..f2d7b5821 100644
	21	--- a/src/gatt-database.c
	22	+++ b/src/gatt-database.c
	23	@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
	24	goto done;
	25	}
	26
	27	+ if (offset >= sizeof(state->cli_feat)) {
	28	+ ecode = BT_ATT_ERROR_INVALID_OFFSET;
	29	+ goto done;
	30	+ }
	31	+
	32	len = sizeof(state->cli_feat) - offset;
	33	value = len ? &state->cli_feat[offset] : NULL;
	34