【蓝牙】CVE-2017-13258 CVE-2017-13260 CVE-2017-13261 CVE-2017-13262信息泄露
补丁
https://android.googlesource.com/platform/system/bt/+/a50e70468c0a8d207e416e273d05a08635bdd45f%5E%21/#F0
从parent版本下载源码
https://android.googlesource.com/platform/system/bt/+/f0edf6571d2d58e66ee0b100ebe49c585d31489f
BNEP层所处位置
一个BNEP包的Header格式
BNEP Packet:
0xXX
Based on the BNEP Type
BNEP Type:
0x00 – 0x7F
Seven bit Bluetooth Network Encapsulation Protocol Type value identifies the type of BNEP header contained in this packet. Values are defined in Table 1 on page 14
0x00
BNEP_GENERAL_ETHERNET
0x01
BNEP_CONTROL
0x02
BNEP_COMPRESSED_ETHERNET
0x03
BNEP_COMPRESSED_ETHERNET_SOURCE_ONLY
0x04
BNEP_COMPRESSED_ETHERNET_DEST_ONLY
0x05 - 0x7E
Reserved for future use
0x7F
Reserved for 802.2 LLC Packets for IEEE 802.15.1 WG
Extension Flag (E):
0x00 – 0x01
One bit extension flag that indicates if one or more extension headers follow the BNEP Header before the data payload if the data payload exists. Extension headers are defined in section 3 on page 39. If the extension flag is equal to 0x1 then one or more extension headers follows the BNEP header. If the extension flag is equal to 0x0 then the BNEP payload follows the BNEP header.
当BNEP Type为0x01时,表示BNEP包为BNEP_CONTROL类型,此时包的格式如下
漏洞一:CVE-2017-13258
当数据从L2CAP层传过来的时候,会调用到bnep_data_ind()
static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) {
tBNEP_CONN* p_bcb;
uint8_t* p = (uint8_t*)(p_buf + 1) + p_buf->offset;
uint16_t rem_len = p_buf->len;
uint8_t type, ctrl_type, ext_type = 0;
bool extension_present, fw_ext_present;
uint16_t protocol = 0;
/* Find CCB based on CID */
p_bcb = bnepu_find_bcb_by_cid(l2cap_cid);
if (p_bcb == NULL) {
BNEP_TRACE_WARNING("BNEP - Rcvd L2CAP data, unknown CID: 0x%x", l2cap_cid);
osi_free(p_buf);
return;
}
/* Get the type and extension bits */
type = *p++;
extension_present = type >> 7;
type &= 0x7f;
if ((rem_len <= bnep_frame_hdr_sizes[type]) || (rem_len > BNEP_MTU_SIZE)) {
BNEP_TRACE_EVENT("BNEP - rcvd frame, bad len: %d type: 0x%02x", p_buf->len, type);
osi_free(p_buf);
return;
}
rem_len--;
if ((p_bcb->con_state != BNEP_STATE_CONNECTED) &&
(!(p_bcb->con_flags & BNEP_FLAGS_CONN_COMPLETED)) &&
(type != BNEP_FRAME_CONTROL)) {
BNEP_TRACE_WARNING("BNEP - Ignored L2CAP data while in state: %d, CID: 0x%x", p_bcb->con_state, l2cap_cid);
if (extension_present) {
/*
** When there is no connection if a data packet is received
** with unknown control extension headers then those should be processed
** according to complain/ignore law
*/
uint8_t ext, length;
uint16_t org_len, new_len;
/* parse the extension headers and process unknown control headers */
org_len = rem_len;
new_len = 0;
do {
ext = *p++;
length = *p++;
p += length;
if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG))
bnep_send_command_not_understood(p_bcb, *p);
new_len += (length + 2);
if (new_len > org_len) break;
} while (ext & 0x80);
}
...漏洞二:CVE-2017-13260
漏洞三:CVE-2017-13261
漏洞四:CVE-2017-13262
Last updated