Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3753848pxj; Tue, 11 May 2021 11:06:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxqfCNMArPA1/qLQ7VGxBQO3+XXlqvwPgUCRuUZvocpVmAa5yljuQftHLQge8PDglirCha6 X-Received: by 2002:ac2:4c86:: with SMTP id d6mr21649038lfl.32.1620756403206; Tue, 11 May 2021 11:06:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620756403; cv=none; d=google.com; s=arc-20160816; b=Y0eP4+jDvRyvSbDxCUQf6gjeDnKiVjaiBnsCVPj7HFJ7mfpaRTUihyKHEkMN8zxxAr alJD3qRkmKfsCKV0Yl9BmKlk2IWJ59BVswpKWPeVDcgSNI1neoW/aqlsYOvGlsIvqAEH C2ZJhowwyDC7b1eF15BdaidwB2aA3XcfT/BVdqnkY7TqGbEvWLag4P1ocDE3xT9vBvT4 5WVmcr/EiuE/tdon64u61uA9nUE6ZMfQVsKOueU073qAYBVhxvGLGfZVam1sayeqIvB+ 0dTZ8oLSD4kwAqgkD8aJ+tZC4BHmYweT/qZa1o00A6ZNkb6fUIkjcD4K2XGSLTgox/bI 8FQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=zdDJxG9IGj/xdsLMmHFEAKBlvZKxaTVxkJYJhr2qjI0=; b=sgyj0wyzWGMcz2sXHyWPyzkVb0JuoZTzrZRFtA/RqrZmXbJNXN7+wZ6MMQZnV74H85 MqWE/khWYhKVdzlX5ypvoI6XKoKcJvik6HOqTCx2h3f444A2mOAaNXIR86RcVJ+kpXkm Fswh3PjOnX0xjE1IDHx7yWkbcAQ2opwvSoJK7Bisqdjlzg3cJT9KJo5wTb8B5vf2shDi cXPwfw3fH4vQbl3XXGmdt8cjnfyG1eAX7+fbCIg9B5h+2xv0TGLZrIVCE5kQbrzr4dJU ON5K4Iigtcb/Da0UBEmSs6lQAEpWrTWBwg9KEF1fcLxep3SH4VADvAvBUwRXolAAcFrW 5FAQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Z0KIryTf; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b40si1364873ljr.573.2021.05.11.11.06.12; Tue, 11 May 2021 11:06:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Z0KIryTf; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231502AbhEKSF4 (ORCPT + 99 others); Tue, 11 May 2021 14:05:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41534 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231587AbhEKSF4 (ORCPT ); Tue, 11 May 2021 14:05:56 -0400 Received: from mail-yb1-xb2a.google.com (mail-yb1-xb2a.google.com [IPv6:2607:f8b0:4864:20::b2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 826BCC061574 for ; Tue, 11 May 2021 11:04:48 -0700 (PDT) Received: by mail-yb1-xb2a.google.com with SMTP id 15so27545204ybc.0 for ; Tue, 11 May 2021 11:04:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zdDJxG9IGj/xdsLMmHFEAKBlvZKxaTVxkJYJhr2qjI0=; b=Z0KIryTf5PYZFuKEBdhQwWMoxZBKsU6p7apMJtSYlGxlNqO1L3TQcrYVyB1c8rHj/h xCvtIPQaOgDztU23Z3XoAVLeqVXo5uMMRa/syd9pclv8Lp70U9ANAfNoaXlsEzEFFvMj VGw9pc0PBBMU7UwjiiUI5B3hyJUwf+b5TdzttpeMT0USOERhWHSYujlVbaX+HutrR1vX CfvVp/FF+61VxifdBiiH6/7yo3VdXW3rX+G+YVDFqR+zyvkBnardgENO7CsRgzCsbyoE kkeptsjYRTXGU7vNVMashrSXnXyYHfpfnOGljD3s8gYsL/wPDySVikBaV+U0bAmYVdO3 IfVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zdDJxG9IGj/xdsLMmHFEAKBlvZKxaTVxkJYJhr2qjI0=; b=NNT7sX5+xqCEbQdBx5ZKqkOfermtKJ73EKt3rTdMIuiOuTs57MSy4QExPm2GhNARU1 yMeMOS9nmOpB6QyKbNvr/1H9wirBVXezBq9Zv3cRiy9SE+O6mB11yByoV5wNB1QjQ1sK buv9A2et7S9xAAuWIBWXl2Kwgu7Iwr7MbSOSo+Yc82ULY2do8cMJKvZzOnvJuhiWLj7E Xnh4AsKlJ3W/LgpWQuHEWuK/GVUU7QFE0z0/7vNpeYbCYgT9IZeAAqE0w/JoYwBChLrK FKQgjMozEChDIwl1DsrqeR0dFZCEyDAkY2j/nIfhUqHRjZrOFbjnMA56xzxG+jYqpeaA O4ow== X-Gm-Message-State: AOAM530v80MvkB3FeusWkXdtamBTihX+e2PGuZbbyZHTaggwMqMbldMt 7HbhZGVbHXiSyAJ6bHxAl6FzizOVdCUFSTdinNGzG6y9 X-Received: by 2002:a25:9a04:: with SMTP id x4mr26758873ybn.440.1620756287718; Tue, 11 May 2021 11:04:47 -0700 (PDT) MIME-Version: 1.0 References: <20210511152807.Bluez.v1.1.I6d2ab6907d9a84fa62ac8a39daef5bef7ff545d5@changeid> In-Reply-To: <20210511152807.Bluez.v1.1.I6d2ab6907d9a84fa62ac8a39daef5bef7ff545d5@changeid> From: Luiz Augusto von Dentz Date: Tue, 11 May 2021 11:04:36 -0700 Message-ID: Subject: Re: [Bluez PATCH v1] monitor: Fix possible crash of rfcomm packet To: Howard Chung Cc: "linux-bluetooth@vger.kernel.org" , ChromeOS Bluetooth Upstreaming , Yun-Hao Chung , Archie Pusaka Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Howard, On Tue, May 11, 2021 at 12:28 AM Howard Chung wrote: > > From: Yun-Hao Chung > > When RFCOMM_TEST_EA returns false, btmon assumes packet data has at > least 5 bytes long. If that assumption fails, btmon could crash when > trying to read the next byte. > This patch fix it by checking the remaining size before reading the last > byte. > > Reviewed-by: apusaka@chromium.org > --- > > monitor/rfcomm.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/monitor/rfcomm.c b/monitor/rfcomm.c > index 9b88a3440e31..76b1123bb23d 100644 > --- a/monitor/rfcomm.c > +++ b/monitor/rfcomm.c > @@ -452,6 +452,9 @@ void rfcomm_packet(const struct l2cap_frame *frame) > hdr.length = GET_LEN16(hdr.length); > } > > + if (l2cap_frame->size == 0) > + goto fail; > + if (!l2cap_frame->size) > l2cap_frame_pull(&tmp_frame, l2cap_frame, l2cap_frame->size-1); Or perhaps we can make l2cap_frame_pull check if it can really pull the frame and return false if it doesn't just as get_*. > if (!l2cap_frame_get_u8(&tmp_frame, &hdr.fcs)) > -- > 2.31.1.607.g51e8a6a459-goog > -- Luiz Augusto von Dentz