From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> When client features is read check if the offset is within the cli_feat bounds. Fixes: https://github.com/bluez/bluez/issues/70 --- src/gatt-database.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/gatt-database.c b/src/gatt-database.c index 90cc4bade..f2d7b5821 100644 --- a/src/gatt-database.c +++ b/src/gatt-database.c @@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib, goto done; } + if (offset >= sizeof(state->cli_feat)) { + ecode = BT_ATT_ERROR_INVALID_OFFSET; + goto done; + } + len = sizeof(state->cli_feat) - offset; value = len ? &state->cli_feat[offset] : NULL; -- 2.26.2
