* [PATCH 02/12] btmon: fix segfault caused by buffer over-read
@ 2018-10-16 20:20 Matias Karhumaa
0 siblings, 0 replies; only message in thread
From: Matias Karhumaa @ 2018-10-16 20:20 UTC (permalink / raw)
To: linux-bluetooth
Fix segmentation fault caused by buffer over-read in packet_ctrl_open().
Fix is to check that ident_len is not bigger than size.
This bug was found by fuzzing btmon with AFL.
Program received signal SIGSEGV, Segmentation fault.
0x0000000000419e88 in packet_hexdump (buf=0x7fffffffda7e "22", len=<optimized out>) at monitor/packet.c:3813
3813 str[((i % 16) * 3) + 1] = hexdigits[buf[i] & 0xf];
(gdb) bt
#0 0x0000000000419e88 in packet_hexdump (buf=0x7fffffffda7e "22", len=<optimized out>) at monitor/packet.c:3813
#1 0x000000000041eda4 in packet_ctrl_open (tv=<optimized out>, cred=<optimized out>, index=<optimized out>, data=0x7fffffffda7e, size=<optimized out>) at monitor/packet.c:10286
#2 0x000000000041b193 in packet_monitor (tv=0x7fffffffda50, cred=<optimized out>, index=65535, opcode=<optimized out>, data=0x7fffffffda60, size=14) at monitor/packet.c:3957
#3 0x000000000040e177 in control_reader (path=<optimized out>, pager=true) at monitor/control.c:1462
#4 0x0000000000403b00 in main (argc=<optimized out>, argv=<optimized out>) at monitor/main.c:243
(gdb)
---
monitor/packet.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/monitor/packet.c b/monitor/packet.c
index 64faceca1..3e2a08a1c 100644
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -10241,6 +10241,12 @@ void packet_ctrl_open(struct timeval *tv, struct ucred *cred, uint16_t index,
flags = get_le32(data + 3);
ident_len = get_u8(data + 7);
+ if (ident_len > size) {
+ print_packet(tv, cred, '*', index, NULL, COLOR_ERROR,
+ "Malformed Control Open packet", NULL, NULL);
+ return;
+ }
+
data += 8;
size -= 8;
--
2.17.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2018-10-16 20:16 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-16 20:20 [PATCH 02/12] btmon: fix segfault caused by buffer over-read Matias Karhumaa
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).