The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset' variable before using it as an index into an array for reading.
A security issue has been found in BlueZ before version 556 The cli_feat_read_cb() function in src/gatt-databasec does not perform bounds checks on the 'offset' variable before using it as an index into an array for reading ...