Control: tags -1 + patch And attached the proposed patch.
Regards, Salvatore
Description: CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req Origin: vendor Bug-Debian: https://bugs.debian.org/875633 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000250 Bug-SuSE: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2017-1000250 Forwarded: no Author: Armis Security <secur...@armis.com> Reviewed-by: Salvatore Bonaccorso <car...@debian.org> Last-Update: 2017-09-12 diff --git a/src/sdpd-request.c b/src/sdpd-request.c index 1eefdce..ddeea7f 100644 --- a/src/sdpd-request.c +++ b/src/sdpd-request.c @@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf) /* continuation State exists -> get from cache */ sdp_buf_t *pCache = sdp_get_cached_rsp(cstate); if (pCache) { - uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); - pResponse = pCache->data; - memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); - buf->data_size += sent; - cstate->cStateValue.maxBytesSent += sent; - if (cstate->cStateValue.maxBytesSent == pCache->data_size) - cstate_size = sdp_set_cstate_pdu(buf, NULL); - else - cstate_size = sdp_set_cstate_pdu(buf, cstate); + if (cstate->cStateValue.maxBytesSent >= pCache->data_size) { + status = SDP_INVALID_CSTATE; + SDPDBG("Got bad cstate with invalid size"); + } else { + uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); + pResponse = pCache->data; + memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); + buf->data_size += sent; + cstate->cStateValue.maxBytesSent += sent; + if (cstate->cStateValue.maxBytesSent == pCache->data_size) + cstate_size = sdp_set_cstate_pdu(buf, NULL); + else + cstate_size = sdp_set_cstate_pdu(buf, cstate); + } } else { status = SDP_INVALID_CSTATE; SDPDBG("Non-null continuation state, but null cache buffer");
