From ab14539c27b6e369e868c9b2227fd92d35511540 Mon Sep 17 00:00:00 2001
From: Matias Karhumaa <matias.karhumaa@gmail.com>
Date: Tue, 16 Oct 2018 23:19:38 +0300
Subject: [PATCH] btmon: fix segfault caused by buffer over-read

Fix segfault caused by buffer over-read. Check that index is not
bigger than MAX_INDEX.

This bug was found by fuzzing with AFL.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000420bb8 in print_packet (tv=<optimized out>, cred=<optimized out>, ident=<optimized out>, index=<optimized out>, channel=<optimized out>, color=<optimized out>,
    label=<optimized out>, text=<optimized out>, extra=<optimized out>) at monitor/packet.c:317
warning: Source file is more recent than executable.
317					index_list[index].frame != last_frame) {
(gdb) bt
 #0  0x0000000000420bb8 in print_packet (tv=<optimized out>, cred=<optimized out>, ident=<optimized out>, index=<optimized out>, channel=<optimized out>, color=<optimized out>,
    label=<optimized out>, text=<optimized out>, extra=<optimized out>) at monitor/packet.c:317
 #1  0x000000000041a8c3 in packet_new_index (tv=<optimized out>, index=<optimized out>, name=0x7fffffffda68 "rsion 4.18.0-matias-patch2 (x86_64)", label=<optimized out>,
    type=<optimized out>, bus=<optimized out>) at monitor/packet.c:9818
 #2  packet_monitor (tv=0x7fffffffda50, cred=<optimized out>, index=<optimized out>, opcode=<optimized out>, data=0x7fffffffda60, size=<optimized out>) at monitor/packet.c:3881
 #3  0x000000000040e177 in control_reader (path=<optimized out>, pager=true) at monitor/control.c:1462
 #4  0x0000000000403b00 in main (argc=<optimized out>, argv=<optimized out>) at monitor/main.c:243
---
 monitor/packet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/monitor/packet.c b/monitor/packet.c
index 6932f592d..2b58a47da 100644
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -310,7 +310,7 @@ static void print_packet(struct timeval *tv, struct ucred *cred, char ident,
 			ts_pos += n;
 			ts_len += n;
 		}
-	} else if (index != HCI_DEV_NONE &&
+	} else if (index != HCI_DEV_NONE && index < MAX_INDEX &&
 				index_list[index].frame != last_frame) {
 		if (use_color()) {
 			n = sprintf(ts_str + ts_pos, "%s", COLOR_FRAME_LABEL);
-- 
2.47.3