From 5ceef2cbde0b4407e61dc2370780bda895c8019c Mon Sep 17 00:00:00 2001 From: Matias Karhumaa Date: Tue, 16 Oct 2018 23:20:40 +0300 Subject: [PATCH] btmon: fix segfault caused by buffer over-read Fix segfault caused by buffer over-read in packet_hci_scodata function of monitor/packet.c. Fix is to check that index is not bigger than MAX_INDEX. This bug was found by fuzzing with AFL. --- monitor/packet.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/monitor/packet.c b/monitor/packet.c index 219070e06..413a88958 100644 --- a/monitor/packet.c +++ b/monitor/packet.c @@ -10202,6 +10202,11 @@ void packet_hci_scodata(struct timeval *tv, struct ucred *cred, uint16_t index, uint8_t flags = acl_flags(handle); char handle_str[16], extra_str[32]; + if (index > MAX_INDEX) { + print_field("Invalid index (%d).", index); + return; + } + index_list[index].frame++; if (size < HCI_SCO_HDR_SIZE) { -- 2.47.3