2018-03-16 10:43:34

by Al Cho

[permalink] [raw]
Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet

The Supported Commands is a 64 octet bit field.
Do not allow to read more then the size.
---
tools/parser/csr.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/tools/parser/csr.c b/tools/parser/csr.c
index a0a4eb5fe..d14830821 100644
--- a/tools/parser/csr.c
+++ b/tools/parser/csr.c
@@ -145,6 +145,11 @@ static inline void commands_dump(int level, char *str, struct frame *frm)
unsigned char commands[64];
unsigned int i;

+ if (frm->len > 64) {
+ perror("Read Error");
+ exit(0);
+ }
+
memcpy(commands, frm->ptr, frm->len);

p_indent(level, frm);
--
2.16.2