Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp5284933pxu; Tue, 22 Dec 2020 12:50:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJwAwrwwoqoMPcTbpXajJUdXzBp4hozntxVQNvDsxtlZ7yGFN9Y89V9h6pgaxS+XZAxESZTy X-Received: by 2002:a50:9ee6:: with SMTP id a93mr22331467edf.174.1608670249720; Tue, 22 Dec 2020 12:50:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608670249; cv=none; d=google.com; s=arc-20160816; b=E9tIrB47eEBZRNk9e62Bat114JoOW7vKawBaiMUJUmmIsaMD20BJ8XJQRyikjMXytn WT0JX9C4ceSqCrmSyJs161aepVkT+0De+0m5zMcSGN6wymJvE8hPivVO7Nkjkl9utmIE 6qo+zFfEWurQ8ui6s5mYZzzEbS00dkcFL3OuWONt0rAPfvFBZwB4Yxeg1NrLctkzeE77 3Ec7qxfOD5wSsXTdnTGFr/sssMieuwDuxkETEZnNyOTRLJJmeRD8t4tBjK8nF7fOjXLD 9BkEZvto9cQDewHPDI+5zp4AvcNXTNya2Z7ovly7RNyRSO7tMjlCTfg6cWb8UD77OA4u vc4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=H3EsGL2fam75a2jlwlny2/e3OBkaF8vgepjjLJUFQWE=; b=Dg0rB6sfzC2IE+g4Smz/YM1CKRfia8KnDavnlGlzqIvQaNe5EunpDXHzte6sywaUr6 SsZ5myvwdQzMpn5Q/SntpuO4u0E6EbhrrkIOPVx2dHKHMH7BCy6KwW3BS6rQoHPFGGLV F4EEQzg2ZK2MvHdcRxRNbXzWPd5ec6hRNDI0uqvh7z6j9jslQCYYI8Fu0xs1V/preHjS EkZtVHTD352Lh5xXv/h8S/EugKhGfgH11r+QQ0gfbnQ3QjsuEs6/1bStquXflk/DUFhA 6n669pWObRnAhT7Xyaov+WsYpjAc4C2gCvypxH51O9NEYSqGKyGcnBgZXJWc2g0aFDq/ H9fQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@teenage.engineering header.s=google header.b="hT/JGjaG"; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=teenage.engineering Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s23si12689132eds.566.2020.12.22.12.50.12; Tue, 22 Dec 2020 12:50:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@teenage.engineering header.s=google header.b="hT/JGjaG"; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=teenage.engineering Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727344AbgLVUrp (ORCPT + 99 others); Tue, 22 Dec 2020 15:47:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41356 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726289AbgLVUrj (ORCPT ); Tue, 22 Dec 2020 15:47:39 -0500 Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51931C0613D6 for ; Tue, 22 Dec 2020 12:46:59 -0800 (PST) Received: by mail-lf1-x135.google.com with SMTP id y19so34916516lfa.13 for ; Tue, 22 Dec 2020 12:46:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=teenage.engineering; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=H3EsGL2fam75a2jlwlny2/e3OBkaF8vgepjjLJUFQWE=; b=hT/JGjaGpdyuf9jbNnHf+SgbTCgoV74wgl2F8km1zjfuEG5sJCMSriyiBF9kGk30F0 s9lIak2fmY/uYc4C0rBXEzuAOsdh6kRrFIW1M4un77s8mOyc+ElL5ILoxlaBLQ+QJNPb NHcAtZn3teziiM1bDxJz2XzRROSsH53i/xWZw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=H3EsGL2fam75a2jlwlny2/e3OBkaF8vgepjjLJUFQWE=; b=I7WxNj/3f2w2jI+9ak4p9JOkcvFhij3Za3mxkiMPMV+7EEu9j97cQ8let9ZhioMzLT 7DiIHqkCvWd9M4t3SMW2tpbAPPomY4I8Ws87OHlhaPRpOmDoW3y11oXwq8YoyOAy5B7J nMXB8C3rlLSlO6cD/8IDHw8wY4Es1w3abzqunxcVWGVfnQICE24FSIGI1n8PgZq6N3It I1ZtIap+omm5WnJYQdf6g3WrzziSh0CD/3MYLCH0OnGhiDDDYGY73EKxXJtfITQKd/WQ RSNOhJkc9NUN7Cj+SVSnB2ylnNYl6JOnTIr6YOv2jECGbCoSNAvzPnmyUmd3B4WOTFk2 LV9w== X-Gm-Message-State: AOAM530NwRpYEhdBri5KVZjrDRcEMci4kF8G7yGfo8t+MFfhVaZPZqYW W/YppKVGO7zeT9yhujglzAiseLkWMR4o0wE= X-Received: by 2002:a05:651c:206:: with SMTP id y6mr11033583ljn.234.1608670017414; Tue, 22 Dec 2020 12:46:57 -0800 (PST) Received: from localhost.localdomain (host-95-192-210-115.mobileonline.telia.com. [95.192.210.115]) by smtp.gmail.com with ESMTPSA id a15sm2809119lfo.299.2020.12.22.12.46.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 12:46:56 -0800 (PST) From: Jacob Siverskog To: linux-bluetooth@vger.kernel.org Cc: Jacob Siverskog Subject: [PATCH BlueZ] btmon: fix buffer bound checks Date: Tue, 22 Dec 2020 21:45:47 +0100 Message-Id: <20201222204547.27839-1-jacob@teenage.engineering> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org index_list is of size MAX_INDEX - correct the checks that is meant to catch out-of-bounds access. --- monitor/packet.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/monitor/packet.c b/monitor/packet.c index c8c835d53..c91b91e2b 100644 --- a/monitor/packet.c +++ b/monitor/packet.c @@ -3879,7 +3879,7 @@ void packet_monitor(struct timeval *tv, struct ucred *cred, index_current = index; } - if (index != HCI_DEV_NONE && index > MAX_INDEX) { + if (index != HCI_DEV_NONE && index >= MAX_INDEX) { print_field("Invalid index (%d)", index); return; } @@ -11133,7 +11133,7 @@ void packet_hci_command(struct timeval *tv, struct ucred *cred, uint16_t index, char extra_str[25], vendor_str[150]; int i; - if (index > MAX_INDEX) { + if (index >= MAX_INDEX) { print_field("Invalid index (%d).", index); return; } @@ -11240,7 +11240,7 @@ void packet_hci_event(struct timeval *tv, struct ucred *cred, uint16_t index, char extra_str[25]; int i; - if (index > MAX_INDEX) { + if (index >= MAX_INDEX) { print_field("Invalid index (%d).", index); return; } @@ -11320,7 +11320,7 @@ void packet_hci_acldata(struct timeval *tv, struct ucred *cred, uint16_t index, uint8_t flags = acl_flags(handle); char handle_str[16], extra_str[32]; - if (index > MAX_INDEX) { + if (index >= MAX_INDEX) { print_field("Invalid index (%d).", index); return; } @@ -11369,7 +11369,7 @@ void packet_hci_scodata(struct timeval *tv, struct ucred *cred, uint16_t index, uint8_t flags = acl_flags(handle); char handle_str[16], extra_str[32]; - if (index > MAX_INDEX) { + if (index >= MAX_INDEX) { print_field("Invalid index (%d).", index); return; } @@ -11416,7 +11416,7 @@ void packet_hci_isodata(struct timeval *tv, struct ucred *cred, uint16_t index, uint8_t flags = acl_flags(handle); char handle_str[16], extra_str[32]; - if (index > MAX_INDEX) { + if (index >= MAX_INDEX) { print_field("Invalid index (%d).", index); return; } -- 2.29.2