* [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet
@ 2019-04-24 9:53 Cho, Yu-Chen
0 siblings, 0 replies; 4+ messages in thread
From: Cho, Yu-Chen @ 2019-04-24 9:53 UTC (permalink / raw)
To: linux-bluetooth; +Cc: acho, jlee
Do not allow to read more than allocated data buffer size.
Because of the buffer is malloc(HCI_MAX_FRAME_SIZE),
so there is heap buffer overflow if read the size more than
HCI_MAX_FRAME_SIZE and fd size is larger than HCI_MAX_FRAME_SIZE.
---
tools/hcidump.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/tools/hcidump.c b/tools/hcidump.c
index 33d429b6c..6cc55404d 100644
--- a/tools/hcidump.c
+++ b/tools/hcidump.c
@@ -105,6 +105,15 @@ struct pktlog_hdr {
static inline int read_n(int fd, char *buf, int len)
{
int t = 0, w;
+ off_t fsize, currentpos, startpos;
+
+ currentpos = lseek(fd, 0, SEEK_CUR);
+ fsize = lseek(fd, 0, SEEK_END);
+ lseek(fd, currentpos, SEEK_SET);
+ fsize -= currentpos;
+
+ if (fsize > HCI_MAX_FRAME_SIZE && len > HCI_MAX_FRAME_SIZE)
+ return -1;
while (len > 0) {
if ((w = read(fd, buf, len)) < 0) {
--
2.21.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet
@ 2019-04-24 9:16 Cho, Yu-Chen
0 siblings, 0 replies; 4+ messages in thread
From: Cho, Yu-Chen @ 2019-04-24 9:16 UTC (permalink / raw)
To: linux-bluetooth; +Cc: acho, jlee
Do not allow to read more than allocated data buffer size.
Because of the buffer is malloc(HCI_MAX_FRAME_SIZE),
so there is heap buffer overflow if read the size more than
HCI_MAX_FRAME_SIZE and fd size is larger than HCI_MAX_FRAME_SIZE.
---
tools/hcidump.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/tools/hcidump.c b/tools/hcidump.c
index 33d429b6c..6cc55404d 100644
--- a/tools/hcidump.c
+++ b/tools/hcidump.c
@@ -105,6 +105,15 @@ struct pktlog_hdr {
static inline int read_n(int fd, char *buf, int len)
{
int t = 0, w;
+ off_t fsize, currentpos, startpos;
+
+ currentpos = lseek(fd, 0, SEEK_CUR);
+ fsize = lseek(fd, 0, SEEK_END);
+ lseek(fd, currentpos, SEEK_SET);
+ fsize -= currentpos;
+
+ if (fsize > HCI_MAX_FRAME_SIZE && len > HCI_MAX_FRAME_SIZE)
+ return -1;
while (len > 0) {
if ((w = read(fd, buf, len)) < 0) {
--
2.21.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet
@ 2018-03-31 6:55 Cho, Yu-Chen
0 siblings, 0 replies; 4+ messages in thread
From: Cho, Yu-Chen @ 2018-03-31 6:55 UTC (permalink / raw)
To: linux-bluetooth; +Cc: acho
Do not allow to read more then buffer size.
---
tools/hcidump.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/tools/hcidump.c b/tools/hcidump.c
index af8f5925a..9044cdd02 100644
--- a/tools/hcidump.c
+++ b/tools/hcidump.c
@@ -89,6 +89,8 @@ struct btsnoop_pkt {
} __attribute__ ((packed));
#define BTSNOOP_PKT_SIZE (sizeof(struct btsnoop_pkt))
+#define BTSNOOP_MAX_PACKET_SIZE (1486 + 4)
+
static uint8_t btsnoop_id[] = { 0x62, 0x74, 0x73, 0x6e, 0x6f, 0x6f, 0x70, 0x00 };
static uint32_t btsnoop_version = 0;
@@ -328,6 +330,9 @@ static void read_dump(int fd)
}
frm.data_len = be32toh(ph.len) - 8;
+ if (frm.data_len > BTSNOOP_MAX_PACKET_SIZE)
+ goto failed;
+
err = read_n(fd, frm.data + 1, frm.data_len - 1);
} else if (parser.flags & DUMP_BTSNOOP) {
uint32_t opcode;
@@ -394,6 +399,9 @@ static void read_dump(int fd)
}
} else {
frm.data_len = btohs(dh.len);
+ if (frm.data_len > HCI_MAX_FRAME_SIZE)
+ goto failed;
+
err = read_n(fd, frm.data, frm.data_len);
}
--
2.16.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet
@ 2018-03-16 10:43 Cho, Yu-Chen
0 siblings, 0 replies; 4+ messages in thread
From: Cho, Yu-Chen @ 2018-03-16 10:43 UTC (permalink / raw)
To: linux-bluetooth; +Cc: acho
The Supported Commands is a 64 octet bit field.
Do not allow to read more then the size.
---
tools/parser/csr.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/parser/csr.c b/tools/parser/csr.c
index a0a4eb5fe..d14830821 100644
--- a/tools/parser/csr.c
+++ b/tools/parser/csr.c
@@ -145,6 +145,11 @@ static inline void commands_dump(int level, char *str, struct frame *frm)
unsigned char commands[64];
unsigned int i;
+ if (frm->len > 64) {
+ perror("Read Error");
+ exit(0);
+ }
+
memcpy(commands, frm->ptr, frm->len);
p_indent(level, frm);
--
2.16.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-04-24 9:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-24 9:53 [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet Cho, Yu-Chen
-- strict thread matches above, loose matches on Subject: below --
2019-04-24 9:16 Cho, Yu-Chen
2018-03-31 6:55 Cho, Yu-Chen
2018-03-16 10:43 Cho, Yu-Chen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.