File 0004-btmon-Fix-crash-caused-by-integer-underflow.patch of Package bluez.25541

From f01e006a26e42581c092efc10b68c2f51f3bb6f3 Mon Sep 17 00:00:00 2001
From: Matias Karhumaa <matias.karhumaa@gmail.com>
Date: Tue, 16 Oct 2018 23:21:17 +0300
Subject: [PATCH 04/13] btmon: Fix crash caused by integer underflow

Check in packet_ctrl_open that parsed length is not more than buffer size.

Bug was found by fuzzing btmon with AFL.
---
 monitor/packet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: bluez-5.48/monitor/packet.c
===================================================================
--- bluez-5.48.orig/monitor/packet.c
+++ bluez-5.48/monitor/packet.c
@@ -10359,7 +10359,7 @@ void packet_ctrl_open(struct timeval *tv
 		flags = get_le32(data + 3);
 		ident_len = get_u8(data + 7);
 
-		if (ident_len > size) {
+		if ((8 + ident_len) > size) {
 			print_packet(tv, cred, '*', index, NULL, COLOR_ERROR,
                                 "Malformed Control Open packet", NULL, NULL);
 			return;
openSUSE Build Service is sponsored by