File 0002-btmon-fix-segfault-caused-by-buffer-overflow.patch of Package bluez.17280

From b9085d74f19f693a91db85f3ac4be271e02e97af Mon Sep 17 00:00:00 2001
From: Matias Karhumaa <matias.karhumaa@gmail.com>
Date: Tue, 16 Oct 2018 23:24:15 +0300
Subject: [PATCH 10/13] btmon: fix segfault caused by buffer overflow

Buffer overflow vulnerability in monitor/sdp.c SDP continuation handling
caused btmon to crash. This happens in global static buffer which makes
it non-trivial to exploit.

This is nasty bug in a way that this can be triggered also over the air
by sending malformed SDP Search Attribute request to device running
btmon.

This crash was foung by fuzzing btmon with AFL. Seems to be reproducible
also with Synopsys Defensics SDP Server suite.
---
 monitor/sdp.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Index: bluez-5.13/monitor/sdp.c
===================================================================
--- bluez-5.13.orig/monitor/sdp.c
+++ bluez-5.13/monitor/sdp.c
@@ -41,12 +41,13 @@
 #include "sdp.h"
 
 #define MAX_TID 16
+#define MAX_CONT_SIZE 17
 
 struct tid_data {
 	bool inuse;
 	uint16_t tid;
 	uint16_t channel;
-	uint8_t cont[17];
+	uint8_t cont[MAX_CONT_SIZE];
 };
 
 static struct tid_data tid_list[MAX_TID];
@@ -409,6 +410,10 @@ static void print_continuation(const uin
 static void store_continuation(struct tid_data *tid,
 					const uint8_t *data, uint16_t size)
 {
+	if (size > MAX_CONT_SIZE) {
+		print_text(COLOR_ERROR, "invalid continuation size");
+		return;
+	}
 	memcpy(tid->cont, data, size);
 	print_continuation(data, size);
 }
openSUSE Build Service is sponsored by