2019-04-24 09:16:28

by Al Cho

[permalink] [raw]
Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet

Do not allow to read more than allocated data buffer size.
Because of the buffer is malloc(HCI_MAX_FRAME_SIZE),
so there is heap buffer overflow if read the size more than
HCI_MAX_FRAME_SIZE and fd size is larger than HCI_MAX_FRAME_SIZE.
---
tools/hcidump.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/tools/hcidump.c b/tools/hcidump.c
index 33d429b6c..6cc55404d 100644
--- a/tools/hcidump.c
+++ b/tools/hcidump.c
@@ -105,6 +105,15 @@ struct pktlog_hdr {
static inline int read_n(int fd, char *buf, int len)
{
int t = 0, w;
+ off_t fsize, currentpos, startpos;
+
+ currentpos = lseek(fd, 0, SEEK_CUR);
+ fsize = lseek(fd, 0, SEEK_END);
+ lseek(fd, currentpos, SEEK_SET);
+ fsize -= currentpos;
+
+ if (fsize > HCI_MAX_FRAME_SIZE && len > HCI_MAX_FRAME_SIZE)
+ return -1;

while (len > 0) {
if ((w = read(fd, buf, len)) < 0) {
--
2.21.0