Overview

File 0007-btmon-fix-segfault-caused-by-integer-underflow.patch of Package bluez.10088

From 8da5f210c47832404f01c5d059c4956e745b858b Mon Sep 17 00:00:00 2001
From: Matias Karhumaa <matias.karhumaa@gmail.com>
Date: Tue, 16 Oct 2018 23:22:42 +0300
Subject: [PATCH 07/13] btmon: fix segfault caused by integer underflow

Fix segfault caused by integer underflow in set_event_filter_cmd().
Fix is to check that size is big enough before subtracting to prevent
underflow.

Crash was found by fuzzing btmon with AFL.
---
 monitor/packet.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

Index: bluez-5.48/monitor/packet.c
===================================================================
--- bluez-5.48.orig/monitor/packet.c
+++ bluez-5.48/monitor/packet.c
@@ -4791,6 +4791,10 @@ static void set_event_filter_cmd(const v
 		break;
 
 	case 0x01:
+		if (size < 2) {
+			print_text(COLOR_ERROR, "  invalid parameter size");
+			break;
+		}
 		filter = *((const uint8_t *) (data + 1));
 
 		switch (filter) {
@@ -4830,11 +4834,21 @@ static void set_event_filter_cmd(const v
 			break;
 		}
 
+		if (size < 2) {
+                        print_text(COLOR_ERROR, "  invalid parameter size");
+                        break;
+                }
+
 		print_field("Filter: %s (0x%2.2x)", str, filter);
 		packet_hexdump(data + 2, size - 2);
 		break;
 
 	default:
+		if (size < 2) {
+                        print_text(COLOR_ERROR, "  invalid parameter size");
+                        break;
+                }
+
 		filter = *((const uint8_t *) (data + 1));
 
 		print_field("Filter: Reserved (0x%2.2x)", filter);
openSUSE Build Service is sponsored by
Places