[PATCH 07/12] btmon: fix segfault caused by integer underflow

* [PATCH 07/12] btmon: fix segfault caused by integer underflow
@ 2018-10-16 20:22 Matias Karhumaa
  0 siblings, 0 replies; only message in thread
From: Matias Karhumaa @ 2018-10-16 20:22 UTC (permalink / raw)
  To: linux-bluetooth

Fix segfault caused by integer underflow in set_event_filter_cmd().
Fix is to check that size is big enough before subtracting to prevent
underflow.

Crash was found by fuzzing btmon with AFL.
---
 monitor/packet.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/monitor/packet.c b/monitor/packet.c
index abdc18aa2..461f5e84b 100644
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -4726,6 +4726,10 @@ static void set_event_filter_cmd(const void *data, uint8_t size)
 		break;
 
 	case 0x01:
+		if (size < 2) {
+			print_text(COLOR_ERROR, "  invalid parameter size");
+			break;
+		}
 		filter = *((const uint8_t *) (data + 1));
 
 		switch (filter) {
@@ -4765,11 +4769,21 @@ static void set_event_filter_cmd(const void *data, uint8_t size)
 			break;
 		}
 
+		if (size < 2) {
+                        print_text(COLOR_ERROR, "  invalid parameter size");
+                        break;
+                }
+
 		print_field("Filter: %s (0x%2.2x)", str, filter);
 		packet_hexdump(data + 2, size - 2);
 		break;
 
 	default:
+		if (size < 2) {
+                        print_text(COLOR_ERROR, "  invalid parameter size");
+                        break;
+                }
+
 		filter = *((const uint8_t *) (data + 1));
 
 		print_field("Filter: Reserved (0x%2.2x)", filter);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] only message in thread