2018-10-16 20:18:51

by Matias Karhumaa

Subject: [PATCH 06/12] btmon: fix multiple segfaults

Fix multiple segfaults caused by buffer over-read in packet_hci_command,
packet_hci_event and packet_hci_acldata. Fix is to check that index is
not bigger than MAX_INDEX before accessing index_list.

Crashes were found by fuzzing btmon with AFL.
---
monitor/packet.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/monitor/packet.c b/monitor/packet.c
index 8f7464b1f..abdc18aa2 100644
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -9949,13 +9949,17 @@ void packet_hci_command(struct timeval *tv, struct ucred *cred, uint16_t index,
char extra_str[25], vendor_str[150];
int i;

+ if (index > MAX_INDEX) {
+ print_field("Invalid index (%d).", index);
+ return;
+ }
+
index_list[index].frame++;

- if (size < HCI_COMMAND_HDR_SIZE) {
+ if (size < HCI_COMMAND_HDR_SIZE || size > BTSNOOP_MAX_PACKET_SIZE) {
sprintf(extra_str, "(len %d)", size);
print_packet(tv, cred, '*', index, NULL, COLOR_ERROR,
"Malformed HCI Command packet", NULL, extra_str);
- packet_hexdump(data, size);
return;
}

@@ -10052,6 +10056,12 @@ void packet_hci_event(struct timeval *tv, struct ucred *cred, uint16_t index,
char extra_str[25];
int i;

+ if (index > MAX_INDEX) {
+ print_field("Invalid index (%d).", index);
+ return;
+ }
+
+
index_list[index].frame++;

if (size < HCI_EVENT_HDR_SIZE) {
@@ -10126,6 +10136,11 @@ void packet_hci_acldata(struct timeval *tv, struct ucred *cred, uint16_t index,
uint8_t flags = acl_flags(handle);
char handle_str[16], extra_str[32];

+ if (index > MAX_INDEX) {
+ print_field("Invalid index (%d).", index);
+ return;
+ }
+
index_list[index].frame++;

if (size < HCI_ACL_HDR_SIZE) {
--
2.17.1