Bluetooth: ots: missing buffer length check

Summary

No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.

Details

There is no length check before pulling data from net_buf.

olcp_ind_handler:

static void olcp_ind_handler(struct bt_conn *conn,
			     struct bt_ots_client *otc_inst,
			     const void *data, uint16_t length)
{
	enum bt_gatt_ots_olcp_proc_type op_code;
	struct net_buf_simple net_buf;

	net_buf_simple_init_with_data(&net_buf, (void *)data, length);

	op_code = net_buf_simple_pull_u8(&net_buf);

	LOG_DBG("OLCP indication");

	if (op_code == BT_GATT_OTS_OLCP_PROC_RESP) {
		enum bt_gatt_ots_olcp_proc_type req_opcode =
			net_buf_simple_pull_u8(&net_buf);
		enum bt_gatt_ots_olcp_res_code result_code =
			net_buf_simple_pull_u8(&net_buf);

There should be a length check before retrieving req_opcode and result_code.

Impact

Result of exploitation could lead to instability (i.e., crash) or denial of service attacks.

Patches

main: #74944
v3.6: #77954

For more information

If you have any questions or comments about this advisory:

Open an issue in zephyr
Email us at Zephyr-vulnerabilities

embargo: 2024-09-22

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bluetooth: ots: missing buffer length check

Package

Affected versions

Patched versions

Description

Summary

Details

Impact

Patches

For more information

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Credits