Hi, bluetoothd does not check in some (all?) places that the remote name reported by a device is valid utf8 data. e.g., extract_eir_name() in src/dbus-hci.c. The reception of an extended inquiry response containing a name with invalid utf8 data can cause the dbus interface to disappear. This is therefore a denial-of-service vulnerability (at the very least). The following patch fixes the above problem but there are probably other places where the check needs to be done. --- bluez-4.51.orig/src/dbus-hci.c +++ bluez-4.51/src/dbus-hci.c @@ -450,6 +450,8 @@ switch (*type) { case 0x08: case 0x09: + if (!g_utf8_validate(data + 2, data[0] - 1, NULL)) + return strdup(""); return strndup((char *) (data + 2), data[0] - 1); } David -- David Vrabel, Senior Software Engineer, Drivers CSR, Churchill House, Cambridge Business Park, Tel: +44 (0)1223 692562 Cowley Road, Cambridge, CB4 0WZ http://www.csr.com/ Member of the CSR plc group of companies. CSR plc registered in England and Wales, registered number 4187346, registered office Churchill House, Cambridge Business Park, Cowley Road, Cambridge, CB4 0WZ, United Kingdom -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html