From f01e006a26e42581c092efc10b68c2f51f3bb6f3 Mon Sep 17 00:00:00 2001
From: Matias Karhumaa <matias.karhumaa@gmail.com>
Date: Tue, 16 Oct 2018 23:21:17 +0300
Subject: [PATCH] btmon: Fix crash caused by integer underflow

Check in packet_ctrl_open that parsed length is not more than buffer size.

Bug was found by fuzzing btmon with AFL.
---
 monitor/packet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/monitor/packet.c b/monitor/packet.c
index 413a88958..cbb3d2b12 100644
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -10278,7 +10278,7 @@ void packet_ctrl_open(struct timeval *tv, struct ucred *cred, uint16_t index,
 		flags = get_le32(data + 3);
 		ident_len = get_u8(data + 7);
 
-		if (ident_len > size) {
+		if ((8 + ident_len) > size) {
 			print_packet(tv, cred, '*', index, NULL, COLOR_ERROR,
                                 "Malformed Control Open packet", NULL, NULL);
 			return;
-- 
2.47.3