File 0006-btmon-fix-multiple-segfaults.patch of Package bluez.25541
From c5d07196d3937c726e0d809a9b5c8100c083890b Mon Sep 17 00:00:00 2001
From: Matias Karhumaa <matias.karhumaa@gmail.com>
Date: Tue, 16 Oct 2018 23:22:16 +0300
Subject: [PATCH 06/13] btmon: fix multiple segfaults
Fix multiple segfaults caused by buffer over-read in packet_hci_command,
packet_hci_event and packet_hci_acldata. Fix is to check that index is
not bigger than MAX_INDEX before accessing index_list.
Crashes were found by fuzzing btmon with AFL.
---
monitor/packet.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
Index: bluez-5.48/monitor/packet.c
===================================================================
--- bluez-5.48.orig/monitor/packet.c
+++ bluez-5.48/monitor/packet.c
@@ -10062,13 +10062,17 @@ void packet_hci_command(struct timeval *
char extra_str[25], vendor_str[150];
int i;
+ if (index > MAX_INDEX) {
+ print_field("Invalid index (%d).", index);
+ return;
+ }
+
index_list[index].frame++;
- if (size < HCI_COMMAND_HDR_SIZE) {
+ if (size < HCI_COMMAND_HDR_SIZE || size > BTSNOOP_MAX_PACKET_SIZE) {
sprintf(extra_str, "(len %d)", size);
print_packet(tv, cred, '*', index, NULL, COLOR_ERROR,
"Malformed HCI Command packet", NULL, extra_str);
- packet_hexdump(data, size);
return;
}
@@ -10165,6 +10169,12 @@ void packet_hci_event(struct timeval *tv
char extra_str[25];
int i;
+ if (index > MAX_INDEX) {
+ print_field("Invalid index (%d).", index);
+ return;
+ }
+
+
index_list[index].frame++;
if (size < HCI_EVENT_HDR_SIZE) {
@@ -10239,6 +10249,11 @@ void packet_hci_acldata(struct timeval *
uint8_t flags = acl_flags(handle);
char handle_str[16], extra_str[32];
+ if (index > MAX_INDEX) {
+ print_field("Invalid index (%d).", index);
+ return;
+ }
+
index_list[index].frame++;
if (size < HCI_ACL_HDR_SIZE) {