Fix segfault caused by buffer over-read in packet_hci_scodata function
of monitor/packet.c.
Fix is to check that index is not bigger than MAX_INDEX.
This bug was found by fuzzing with AFL.
---
monitor/packet.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/monitor/packet.c b/monitor/packet.c
index 3e2a08a1c..fb6d7e46c 100644
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -10170,6 +10170,11 @@ void packet_hci_scodata(struct timeval *tv, struct ucred *cred, uint16_t index,
uint8_t flags = acl_flags(handle);
char handle_str[16], extra_str[32];
+ if (index > MAX_INDEX) {
+ print_field("Invalid index (%d).", index);
+ return;
+ }
+
index_list[index].frame++;
if (size < HCI_SCO_HDR_SIZE) {
--
2.17.1