[PATCH BlueZ] pbap: Fix not checking Database Identifier length

[PATCH BlueZ] pbap: Fix not checking Database Identifier length

[Frédéric Danis]

Database Identifier is supposed to be 16 bytes values.

A paired Bluetooth device acting as a PBAP server can overflow the
heap in obexd by up to 239 bytes into adjacent allocations by returning
a DATABASEID_TAG application parameter with an oversized length.
With both length and content fully attacker-controlled, this enables
standard glibc heap exploitation primitives (tcache/fastbin poisoning)
leading to remote code execution in the obexd process.
---
 obexd/client/pbap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c
index 0f575e61e..ce5e6cd5d 100644
--- a/obexd/client/pbap.c
+++ b/obexd/client/pbap.c
@@ -330,7 +330,8 @@ static void read_databaseid(struct pbap_data *pbap, GObexApparam *apparam)
 		data = value;
 	}
 
-	if (memcmp(data, pbap->databaseid, len)) {
+	if (len == sizeof(pbap->databaseid) &&
+			memcmp(data, pbap->databaseid, len)) {
 		memcpy(pbap->databaseid, data, len);
 		g_dbus_emit_property_changed(conn,
 					obc_session_get_path(pbap->session),
-- 
2.43.0

RE: [BlueZ] pbap: Fix not checking Database Identifier length

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 825 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1093372

---Test result---

Test Summary:
CheckPatch                    PASS      0.48 seconds
GitLint                       PASS      0.35 seconds
BuildEll                      PASS      20.05 seconds
BluezMake                     PASS      605.42 seconds
CheckSmatch                   PASS      327.55 seconds
bluezmakeextell               PASS      166.87 seconds
IncrementalBuild              PASS      618.83 seconds
ScanBuild                     PASS      917.76 seconds



https://github.com/bluez/bluez/pull/2120

---
Regards,
Linux Bluetooth

Re: [PATCH BlueZ] pbap: Fix not checking Database Identifier length

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Tue, 12 May 2026 10:37:50 +0200 you wrote:
> Database Identifier is supposed to be 16 bytes values.
> 
> A paired Bluetooth device acting as a PBAP server can overflow the
> heap in obexd by up to 239 bytes into adjacent allocations by returning
> a DATABASEID_TAG application parameter with an oversized length.
> With both length and content fully attacker-controlled, this enables
> standard glibc heap exploitation primitives (tcache/fastbin poisoning)
> leading to remote code execution in the obexd process.
> 
> [...]

Here is the summary with links:
  - [BlueZ] pbap: Fix not checking Database Identifier length
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=6ba04fad369f

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html