File 0006-btmon-fix-multiple-segfaults.patch of Package bluez.25541

From c5d07196d3937c726e0d809a9b5c8100c083890b Mon Sep 17 00:00:00 2001
From: Matias Karhumaa <matias.karhumaa@gmail.com>
Date: Tue, 16 Oct 2018 23:22:16 +0300
Subject: [PATCH 06/13] btmon: fix multiple segfaults

Fix multiple segfaults caused by buffer over-read in packet_hci_command,
packet_hci_event and packet_hci_acldata. Fix is to check that index is
not bigger than MAX_INDEX before accessing index_list.

Crashes were found by fuzzing btmon with AFL.
---
 monitor/packet.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

Index: bluez-5.48/monitor/packet.c
===================================================================
--- bluez-5.48.orig/monitor/packet.c
+++ bluez-5.48/monitor/packet.c
@@ -10062,13 +10062,17 @@ void packet_hci_command(struct timeval *
 	char extra_str[25], vendor_str[150];
 	int i;
 
+	if (index > MAX_INDEX) {
+		print_field("Invalid index (%d).", index);
+		return;
+	}
+
 	index_list[index].frame++;
 
-	if (size < HCI_COMMAND_HDR_SIZE) {
+	if (size < HCI_COMMAND_HDR_SIZE || size > BTSNOOP_MAX_PACKET_SIZE) {
 		sprintf(extra_str, "(len %d)", size);
 		print_packet(tv, cred, '*', index, NULL, COLOR_ERROR,
 			"Malformed HCI Command packet", NULL, extra_str);
-		packet_hexdump(data, size);
 		return;
 	}
 
@@ -10165,6 +10169,12 @@ void packet_hci_event(struct timeval *tv
 	char extra_str[25];
 	int i;
 
+	if (index > MAX_INDEX) {
+		print_field("Invalid index (%d).", index);
+		return;
+	}
+
+
 	index_list[index].frame++;
 
 	if (size < HCI_EVENT_HDR_SIZE) {
@@ -10239,6 +10249,11 @@ void packet_hci_acldata(struct timeval *
 	uint8_t flags = acl_flags(handle);
 	char handle_str[16], extra_str[32];
 
+	if (index > MAX_INDEX) {
+		print_field("Invalid index (%d).", index);
+		return;
+	}
+
 	index_list[index].frame++;
 
 	if (size < HCI_ACL_HDR_SIZE) {
openSUSE Build Service is sponsored by