* [bluez/bluez] 88b4a6: pbap: Fix not checking Database Identifier length
@ 2026-05-12 9:22 fdanis-oss
0 siblings, 0 replies; only message in thread
From: fdanis-oss @ 2026-05-12 9:22 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1093372
Home: https://github.com/bluez/bluez
Commit: 88b4a67b600e6fe2427c69629af229d292ae6076
https://github.com/bluez/bluez/commit/88b4a67b600e6fe2427c69629af229d292ae6076
Author: Frédéric Danis <frederic.danis@collabora.com>
Date: 2026-05-12 (Tue, 12 May 2026)
Changed paths:
M obexd/client/pbap.c
Log Message:
-----------
pbap: Fix not checking Database Identifier length
Database Identifier is supposed to be 16 bytes values.
A paired Bluetooth device acting as a PBAP server can overflow the
heap in obexd by up to 239 bytes into adjacent allocations by returning
a DATABASEID_TAG application parameter with an oversized length.
With both length and content fully attacker-controlled, this enables
standard glibc heap exploitation primitives (tcache/fastbin poisoning)
leading to remote code execution in the obexd process.
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-12 9:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-12 9:22 [bluez/bluez] 88b4a6: pbap: Fix not checking Database Identifier length fdanis-oss
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox