From d4d9523ffb96ab82dbbc671e072dba0b7c1b3212 Mon Sep 17 00:00:00 2001 From: Matthias Ringwald Date: Mon, 23 Oct 2023 16:11:36 +0200 Subject: [PATCH] bnep: fully validate UUID32 and UUID128 --- CHANGELOG.md | 1 + src/classic/bnep.c | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a4e22cd51..7ae79cc75 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,6 +77,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. - A2DP: use samples as timestamp, fixes issue with Apple Airpods Pro 2nd Gen - AVDTP Source: avdtp_source_stream_send_media_payload was removed, use avdtp_source_stream_send_media_payload_rtp instead - AVRCP: re-register for notification +- BNEP: validate UUID32 and UUID128 service in connect request - HFP: fix setup/accept of synchronous connection - HFP: use mandatory safe settings considering BR/EDR Secure Connections to accept synchronous connections - HFP: avoid SCO packet types not supported either locally or remotely diff --git a/src/classic/bnep.c b/src/classic/bnep.c index c10a58e09..ef003e864 100644 --- a/src/classic/bnep.c +++ b/src/classic/bnep.c @@ -852,6 +852,28 @@ static int bnep_handle_connection_request(bnep_channel_t *channel, uint8_t *pack break; } + /* Check bits 16-31 of UUID */ + if (uuid_size > 2){ + uint16_t dest_prefix = big_endian_read_16(packet, 2); + if (dest_prefix != 0){ + response_code = BNEP_RESP_SETUP_INVALID_DEST_UUID; + } + uint16_t src_prefix = big_endian_read_16(packet, 2 + uuid_size); + if (src_prefix != 0){ + response_code = BNEP_RESP_SETUP_INVALID_SOURCE_UUID; + } + } + + /* check bits 32-127 of UUID */ + if (uuid_size == 16){ + if (uuid_has_bluetooth_prefix(&packet[2]) == false){ + response_code = BNEP_RESP_SETUP_INVALID_DEST_UUID; + } + if (uuid_has_bluetooth_prefix(&packet[2+16]) == false){ + response_code = BNEP_RESP_SETUP_INVALID_SOURCE_UUID; + } + } + /* Check source and destination UUIDs for valid combinations */ if (response_code == BNEP_RESP_SETUP_SUCCESS) { channel->uuid_dest = big_endian_read_16(packet, 2 + uuid_offset);