Re: SDP payload processing vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Marcel,

Thank you for the quick reply.

> the SDP part has always been the weak point in every Bluetooth stack.
> Our server side it pretty good, but it seems the client one is really
> bad and I must admit that I never looked into in that in details.

I'm concerned that hcid is also vulnerable to this (which would make
it both a server and a client problem?).

> Changing the API is really a problem here. We can't do that. At least
> not that easily. We can extend the API with more safe calls and then
> slowly move over the clients.

That sounds good.  I can write safe versions of the parsing routines
and move everything I can find over to the new API; old clients will
still work with the old (unsafe) API.  This may present some
maintenance challenges since there will be 2x parsing code, but it is
better than leaving security holes everywhere.

Is bluez.org currently down?  I can't seem to get at the latest version...

Glenn

On Mon, Jun 16, 2008 at 1:59 PM, Marcel Holtmann <marcel@xxxxxxxxxxxx> wrote:
> Hi Glenn,
>
>> The SDP parsing code blindly trusts string length fields in incoming
>> SDP packets, exposing reliant applications to over-the-wireless memory
>> manipulation attacks.   An attacker need only send a malformed
>> response to an SDP query to take advantage of this.
>
> the SDP part has always been the weak point in every Bluetooth stack.
> Our server side it pretty good, but it seems the client one is really
> bad and I must admit that I never looked into in that in details.
>
>> This is most apparent in file bluez-libs-3.30/src/sdp.c, lines 988,
>> 994, 1002 (see below).  Also elsewhere in the code where input
>> pointers are advanced without checking bytes remaining to be parsed.
>> The root of the problem is that in bluez-libs-3.30/src/sdp.c:1125, the
>> function sdp_extract_pdu() takes a buffer to parse (in) and a pointer
>> to a length field (out), but it does not take an incoming length field
>> (in).
>>
>> Attached is a patch to fix this issue.  Basically I added a
>> "bytesleft" argument to all of the SDP payload processing routines;
>> length fields are checked
>> against the number of remaining bytes to ensure the parser doesn't run
>> past the end of the packet, or do crazy things like malloc two gigs of
>> memory.  This touches a lot of places, and changes the external API
>> for SDP payload processing, but I don't see any other way to do this
>> -- the parser MUST be aware of the incoming packet size in order for
>> this to be secure.
>
> Changing the API is really a problem here. We can't do that. At least
> not that easily. We can extend the API with more safe calls and then
> slowly move over the clients.
>
> Regards
>
> Marcel
>
>
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Bluez-devel mailing list
> Bluez-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/bluez-devel
>

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Bluez-devel mailing list
Bluez-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/bluez-devel

[Index of Archives]     [Linux Bluetooth Devel]     [Linux USB Devel]     [Network Devel]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux