From e6d27c77ef02883b3fadfd4d605fb09ec104dae1 Mon Sep 17 00:00:00 2001 From: Lingao Meng Date: Wed, 22 Jun 2022 12:19:32 +0800 Subject: [PATCH] Bluetooth: Host: Fix ATT security vulnerabilities When the client receives att error rsp, but the error code is an illegal value, such as 0, an exception will be triggered. gatt_read_type --> gatt_read_type_rsp --> parse_characteristic `switch (rsp->len) {` null address access. Signed-off-by: Lingao Meng --- subsys/bluetooth/host/att.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/subsys/bluetooth/host/att.c b/subsys/bluetooth/host/att.c index 3a7e1b0546..f2ec6a4cac 100644 --- a/subsys/bluetooth/host/att.c +++ b/subsys/bluetooth/host/att.c @@ -2313,8 +2313,18 @@ static uint8_t att_error_rsp(struct bt_att_chan *chan, struct net_buf *buf) BT_DBG("request 0x%02x handle 0x%04x error 0x%02x", rsp->request, sys_le16_to_cpu(rsp->handle), rsp->error); - /* Don't retry if there is no req pending or it has been cancelled */ - if (!chan->req || chan->req == &cancel) { + /* Don't retry if there is no req pending or it has been cancelled. + * + * BLUETOOTH SPECIFICATION Version 5.2 [Vol 3, Part F] + * page 1423: + * + * If an error code is received in the ATT_ERROR_RSP PDU that is not + * understood by the client, for example an error code that was reserved + * for future use that is now being used in a future version of the + * specification, then the ATT_ERROR_RSP PDU shall still be considered to + * state that the given request cannot be performed for an unknown reason. + */ + if (!chan->req || chan->req == &cancel || !rsp->error) { err = BT_ATT_ERR_UNLIKELY; goto done; }