From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Mon, 4 Jan 2021 10:38:31 -0800
Subject: [PATCH] gatt: Fix potential buffer out-of-bound

When client features is read check if the offset is within the cli_feat
bounds.

Fixes: https://github.com/bluez/bluez/issues/70

+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a]
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+CVE: CVE-2021-3588

---
 src/gatt-database.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/gatt-database.c b/src/gatt-database.c
index 90cc4bade..f2d7b5821 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
 		goto done;
 	}
 
+	if (offset >= sizeof(state->cli_feat)) {
+		ecode = BT_ATT_ERROR_INVALID_OFFSET;
+		goto done;
+	}
+
 	len = sizeof(state->cli_feat) - offset;
 	value = len ? &state->cli_feat[offset] : NULL;