Check in packet_ctrl_open that parsed length is not more than buffer size.
Bug was found by fuzzing btmon with AFL.
---
monitor/packet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/monitor/packet.c b/monitor/packet.c
index fb6d7e46c..8f7464b1f 100644
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -10246,7 +10246,7 @@ void packet_ctrl_open(struct timeval *tv, struct ucred *cred, uint16_t index,
flags = get_le32(data + 3);
ident_len = get_u8(data + 7);
- if (ident_len > size) {
+ if ((8 + ident_len) > size) {
print_packet(tv, cred, '*', index, NULL, COLOR_ERROR,
"Malformed Control Open packet", NULL, NULL);
return;
--
2.17.1