【蓝牙】CVE-2017-13258 CVE-2017-13260 CVE-2017-13261 CVE-2017-13262信息泄露
补丁
https://android.googlesource.com/platform/system/bt/+/a50e70468c0a8d207e416e273d05a08635bdd45f%5E%21/#F0
从parent版本下载源码
https://android.googlesource.com/platform/system/bt/+/f0edf6571d2d58e66ee0b100ebe49c585d31489f
BNEP层所处位置
一个BNEP包的Header格式
BNEP Packet:
Value | Parameter Description |
---|---|
0xXX | Based on the BNEP Type |
BNEP Type:
Value | Parameter Description |
---|---|
0x00 – 0x7F | Seven bit Bluetooth Network Encapsulation Protocol Type value identifies the type of BNEP header contained in this packet. Values are defined in Table 1 on page 14 |
Value | BNEP Packet Type |
---|---|
0x00 | BNEP_GENERAL_ETHERNET |
0x01 | BNEP_CONTROL |
0x02 | BNEP_COMPRESSED_ETHERNET |
0x03 | BNEP_COMPRESSED_ETHERNET_SOURCE_ONLY |
0x04 | BNEP_COMPRESSED_ETHERNET_DEST_ONLY |
0x05 - 0x7E | Reserved for future use |
0x7F | Reserved for 802.2 LLC Packets for IEEE 802.15.1 WG |
Extension Flag (E):
Value | Parameter Description |
---|---|
0x00 – 0x01 | One bit extension flag that indicates if one or more extension headers follow the BNEP Header before the data payload if the data payload exists. Extension headers are defined in section 3 on page 39. If the extension flag is equal to 0x1 then one or more extension headers follows the BNEP header. If the extension flag is equal to 0x0 then the BNEP payload follows the BNEP header. |
当BNEP Type
为0x01
时,表示BNEP包为BNEP_CONTROL
类型,此时包的格式如下
漏洞一:CVE-2017-13258
当数据从L2CAP
层传过来的时候,会调用到bnep_data_ind()
漏洞二:CVE-2017-13260
漏洞三:CVE-2017-13261
漏洞四:CVE-2017-13262
Last updated