Skip to content

Commit e6d27c7

Browse files
LingaoMcarlescufi
authored andcommitted
Bluetooth: Host: Fix ATT security vulnerabilities
When the client receives att error rsp, but the error code is an illegal value, such as 0, an exception will be triggered. gatt_read_type --> gatt_read_type_rsp --> parse_characteristic `switch (rsp->len) {` null address access. Signed-off-by: Lingao Meng <menglingao@xiaomi.com>
1 parent 7420bb5 commit e6d27c7

File tree

1 file changed

+12
-2
lines changed
  • subsys/bluetooth/host

1 file changed

+12
-2
lines changed

‎subsys/bluetooth/host/att.c‎

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2313,8 +2313,18 @@ static uint8_t att_error_rsp(struct bt_att_chan *chan, struct net_buf *buf)
23132313
BT_DBG("request 0x%02x handle 0x%04x error 0x%02x", rsp->request,
23142314
sys_le16_to_cpu(rsp->handle), rsp->error);
23152315

2316-
/* Don't retry if there is no req pending or it has been cancelled */
2317-
if (!chan->req || chan->req == &cancel) {
2316+
/* Don't retry if there is no req pending or it has been cancelled.
2317+
*
2318+
* BLUETOOTH SPECIFICATION Version 5.2 [Vol 3, Part F]
2319+
* page 1423:
2320+
*
2321+
* If an error code is received in the ATT_ERROR_RSP PDU that is not
2322+
* understood by the client, for example an error code that was reserved
2323+
* for future use that is now being used in a future version of the
2324+
* specification, then the ATT_ERROR_RSP PDU shall still be considered to
2325+
* state that the given request cannot be performed for an unknown reason.
2326+
*/
2327+
if (!chan->req || chan->req == &cancel || !rsp->error) {
23182328
err = BT_ATT_ERR_UNLIKELY;
23192329
goto done;
23202330
}

0 commit comments

Comments
 (0)