From 8da5f210c47832404f01c5d059c4956e745b858b Mon Sep 17 00:00:00 2001
From: Matias Karhumaa <matias.karhumaa@gmail.com>
Date: Tue, 16 Oct 2018 23:22:42 +0300
Subject: [PATCH] btmon: fix segfault caused by integer underflow

Fix segfault caused by integer underflow in set_event_filter_cmd().
Fix is to check that size is big enough before subtracting to prevent
underflow.

Crash was found by fuzzing btmon with AFL.
---
 monitor/packet.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/monitor/packet.c b/monitor/packet.c
index f7b4c40e6..914eaedbc 100644
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -4724,6 +4724,10 @@ static void set_event_filter_cmd(const void *data, uint8_t size)
 		break;
 
 	case 0x01:
+		if (size < 2) {
+			print_text(COLOR_ERROR, "  invalid parameter size");
+			break;
+		}
 		filter = *((const uint8_t *) (data + 1));
 
 		switch (filter) {
@@ -4763,11 +4767,21 @@ static void set_event_filter_cmd(const void *data, uint8_t size)
 			break;
 		}
 
+		if (size < 2) {
+                        print_text(COLOR_ERROR, "  invalid parameter size");
+                        break;
+                }
+
 		print_field("Filter: %s (0x%2.2x)", str, filter);
 		packet_hexdump(data + 2, size - 2);
 		break;
 
 	default:
+		if (size < 2) {
+                        print_text(COLOR_ERROR, "  invalid parameter size");
+                        break;
+                }
+
 		filter = *((const uint8_t *) (data + 1));
 
 		print_field("Filter: Reserved (0x%2.2x)", filter);
-- 
2.47.3