File 0006-btmon-fix-multiple-segfaults.patch of Package bluez (Revision 104faf38ff0af43a4050079564dd6963)
Currently displaying revision 104faf38ff0af43a4050079564dd6963 , Show latest
xxxxxxxxxx
1
From c5d07196d3937c726e0d809a9b5c8100c083890b Mon Sep 17 00:00:00 2001
2
From: Matias Karhumaa <matias.karhumaa@gmail.com>
3
Date: Tue, 16 Oct 2018 23:22:16 +0300
4
Subject: [PATCH 06/13] btmon: fix multiple segfaults
5
6
Fix multiple segfaults caused by buffer over-read in packet_hci_command,
7
packet_hci_event and packet_hci_acldata. Fix is to check that index is
8
not bigger than MAX_INDEX before accessing index_list.
9
10
Crashes were found by fuzzing btmon with AFL.
11
---
12
monitor/packet.c | 19 +++++++++++++++++--
13
1 file changed, 17 insertions(+), 2 deletions(-)
14
15
Index: bluez-5.48/monitor/packet.c
16
===================================================================
17
--- bluez-5.48.orig/monitor/packet.c
18
+++ bluez-5.48/monitor/packet.c
19
20
char extra_str[25], vendor_str[150];
21
int i;
22
23
+ if (index > MAX_INDEX) {
24
+ print_field("Invalid index (%d).", index);
25
+ return;
26
+ }
27
+
28
index_list[index].frame++;
29
30
- if (size < HCI_COMMAND_HDR_SIZE) {
31
+ if (size < HCI_COMMAND_HDR_SIZE || size > BTSNOOP_MAX_PACKET_SIZE) {
32
sprintf(extra_str, "(len %d)", size);
33
print_packet(tv, cred, '*', index, NULL, COLOR_ERROR,
34
"Malformed HCI Command packet", NULL, extra_str);
35
- packet_hexdump(data, size);
36
return;
37
}
38
39
40
char extra_str[25];
41
int i;
42
43
+ if (index > MAX_INDEX) {
44
+ print_field("Invalid index (%d).", index);
45
+ return;
46
+ }
47
+
48
+
49
index_list[index].frame++;
50
51
if (size < HCI_EVENT_HDR_SIZE) {
52
53
uint8_t flags = acl_flags(handle);
54
char handle_str[16], extra_str[32];
55
56
+ if (index > MAX_INDEX) {
57
+ print_field("Invalid index (%d).", index);
58
+ return;
59
+ }
60
+
61
index_list[index].frame++;
62
63
if (size < HCI_ACL_HDR_SIZE) {
64