Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3283203pxj; Tue, 11 May 2021 00:30:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyiPUmbZ04Zqo2BaWSfZ06oukUYwMKYHvA1/EOsiL6fKIfArWySTSjBNDvH8Fc8uUVBLpGM X-Received: by 2002:a05:6e02:671:: with SMTP id l17mr25100072ilt.267.1620718250473; Tue, 11 May 2021 00:30:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620718250; cv=none; d=google.com; s=arc-20160816; b=t4baHSZy0QoyAg9hcW4N/fKHKQu8Whj3kRK1X3aOj+X0qtQTxvsU54VcqUeN8bV/oA Tqgq9yZX1gDgle84q96YXi3DlOCpJNtj3zqw+TNsAIYyHU7C1dVQtc22VBfS2rkaa1W7 iVVikUPEi+czfpsl59aORUzdsSXuWqxPyUcthmqUsiRG6e1cNNp16Sbw6mJXSmoWkJrB FamYUN2/kzTGmUCBBrV6yqeZcb5ifS1jkxDQXe6spKeq7jyrw2ss/IsUFt+SzUPIMd3y 9yp7ZkcUGO10Yim9gDyPk4Hrb9oJAfag78ll20AQ9s8Srkihgcf4zYopgOTCqd8jiyof mJmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=0NuxBHGHxAT7PFBRKN8L1TkqBFdEqBHNKYTr/3kaxf8=; b=abTyA4kHlS95hDCM8UX6BzhVXN+qT+AzrJ4X39heubyhnMfEtRQJLNc7hWi8WhDIcM 7HdatCMcbEtr+KBKULrZcBJ1jGfJ+JNDyF2m3+C2jJtNbDqVhL2iWrjhGnyqXiqwCnZw Ml8QT4+qOK38hmGwtoGvj57H5GpcPjEkSezjYeGGoiZ88FB+Q3qodjE4A6ORMg+xJ2WQ igaNHTHyRoBbELWm3oLq7LkIsjLhTE6C28xq2la5NkN79cn1aEGhJknw0v84c1v2/4Af zSJpRMCmumv8Z2+/5tbIVm1jTVWYoZVStD1H/UeMRotc2K4jZlygpdo2Z3VYLD/z4syX GCsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=qroSWun2; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d18si18060112ios.101.2021.05.11.00.30.36; Tue, 11 May 2021 00:30:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=qroSWun2; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230346AbhEKH3y (ORCPT + 99 others); Tue, 11 May 2021 03:29:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38186 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230343AbhEKH3y (ORCPT ); Tue, 11 May 2021 03:29:54 -0400 Received: from mail-pf1-x449.google.com (mail-pf1-x449.google.com [IPv6:2607:f8b0:4864:20::449]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 65951C061574 for ; Tue, 11 May 2021 00:28:48 -0700 (PDT) Received: by mail-pf1-x449.google.com with SMTP id n46-20020a056a000d6eb029028e9efbc4a7so12419965pfv.3 for ; Tue, 11 May 2021 00:28:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=0NuxBHGHxAT7PFBRKN8L1TkqBFdEqBHNKYTr/3kaxf8=; b=qroSWun2ErszEsgxCp4O7qFrCH+qBjwTAM9e2Jl6GH0g4Wmq4P6wCRGV0eETDEL984 +eK1CnYCN0Hj8HSsfkHb6DtzOuriZepDfVB/KNmMLFMKn9rezjPlSxY8twRscIBQLjNE qUqm9v6XDTrcqyOkwG2gaugqecgygWymAOjhtaq3g2ysQtNMEw0FQ2nVJGYEUTg+/Pig 8evtIwZh3yGfzOfg6UXO9lxkjl285vOQU2eaWH3TNO5+pMiwt5J68ul0lPiU1i+Do0eG u+m58RyF73X5bYNjyL9Kozihcd6fy14UKb/nq7trf7W0u2XZtlVdREGRvzrNDyoAD7Tn v8Tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=0NuxBHGHxAT7PFBRKN8L1TkqBFdEqBHNKYTr/3kaxf8=; b=GhCWzJG5snn4zb7spaTbM+d9mNBBtWIuyKHD51/nsTn8ukeKYFUpPE5nYBnBgAYIoM h9t/Pbe7WXWFYIgxEeWdg8ZzmTq68HRVW3msA9iMEzyPJQOOfobGtFQa7ezUGrIIscog spBuDghJ5gk+bc4E3yVaQ1UwRWsmNbsAWQFJEQ0RY8cUma2uirmd7LT5x+gD7E4VBjrs ddfr2k7F+nc2nE2xs1X17lsLxlkiB4eLYSg17r+0nkiJv0Y8wB9nWclXdLXvH5BrMA3Y +yFxLX8KIMhXcoem0LF/q0U1tgrQC2FaNvxCMUdFKhzNFHJFzUuh85qV5VhJKZP3KYwd +8Xw== X-Gm-Message-State: AOAM531x/74m4RuuTQXvBnHd9EwrXoBKDC1LidxFrozIUkjeR5wBmESL 4LLIE55xiIdxkDmMSTxVIj7GJ5gMDit2YOjaIwPgBbyi4E18kpwtu9Rf4axiSJoEbb/vfCBfXrt Z1VZ3UNCAulkhyy4Ugh4gRH3HTzBwj7sA1lJ5zcz4Jr4+5roDdIiUt/AGPcPuMzEyjYca2t9ZPz V3WOU9bdsZx08= X-Received: from howardchung-p920.tpe.corp.google.com ([2401:fa00:1:10:cbc0:6ee0:8475:58e]) (user=howardchung job=sendgmr) by 2002:a17:902:8505:b029:ec:b451:71cd with SMTP id bj5-20020a1709028505b02900ecb45171cdmr28430448plb.23.1620718127754; Tue, 11 May 2021 00:28:47 -0700 (PDT) Date: Tue, 11 May 2021 15:28:42 +0800 Message-Id: <20210511152807.Bluez.v1.1.I6d2ab6907d9a84fa62ac8a39daef5bef7ff545d5@changeid> Mime-Version: 1.0 X-Mailer: git-send-email 2.31.1.607.g51e8a6a459-goog Subject: [Bluez PATCH v1] monitor: Fix possible crash of rfcomm packet From: Howard Chung To: linux-bluetooth@vger.kernel.org, luiz.dentz@gmail.com Cc: chromeos-bluetooth-upstreaming@chromium.org, Yun-Hao Chung , apusaka@chromium.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Yun-Hao Chung When RFCOMM_TEST_EA returns false, btmon assumes packet data has at least 5 bytes long. If that assumption fails, btmon could crash when trying to read the next byte. This patch fix it by checking the remaining size before reading the last byte. Reviewed-by: apusaka@chromium.org --- monitor/rfcomm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/monitor/rfcomm.c b/monitor/rfcomm.c index 9b88a3440e31..76b1123bb23d 100644 --- a/monitor/rfcomm.c +++ b/monitor/rfcomm.c @@ -452,6 +452,9 @@ void rfcomm_packet(const struct l2cap_frame *frame) hdr.length = GET_LEN16(hdr.length); } + if (l2cap_frame->size == 0) + goto fail; + l2cap_frame_pull(&tmp_frame, l2cap_frame, l2cap_frame->size-1); if (!l2cap_frame_get_u8(&tmp_frame, &hdr.fcs)) -- 2.31.1.607.g51e8a6a459-goog