File 0004-btmon-Fix-crash-caused-by-integer-underflow.patch of Package bluez.25541
From f01e006a26e42581c092efc10b68c2f51f3bb6f3 Mon Sep 17 00:00:00 2001
From: Matias Karhumaa <matias.karhumaa@gmail.com>
Date: Tue, 16 Oct 2018 23:21:17 +0300
Subject: [PATCH 04/13] btmon: Fix crash caused by integer underflow
Check in packet_ctrl_open that parsed length is not more than buffer size.
Bug was found by fuzzing btmon with AFL.
---
monitor/packet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: bluez-5.48/monitor/packet.c
===================================================================
--- bluez-5.48.orig/monitor/packet.c
+++ bluez-5.48/monitor/packet.c
@@ -10359,7 +10359,7 @@ void packet_ctrl_open(struct timeval *tv
flags = get_le32(data + 3);
ident_len = get_u8(data + 7);
- if (ident_len > size) {
+ if ((8 + ident_len) > size) {
print_packet(tv, cred, '*', index, NULL, COLOR_ERROR,
"Malformed Control Open packet", NULL, NULL);
return;