Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4068198pxj; Tue, 11 May 2021 19:24:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwCL67JTAsN8lrDwz8LTHxbpBCHDhhX1ZXDRPD313ggUs8ZuJZ1CQEVTcDtzlK0VqT37weq X-Received: by 2002:a6b:6c18:: with SMTP id a24mr25312302ioh.21.1620786281925; Tue, 11 May 2021 19:24:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620786281; cv=none; d=google.com; s=arc-20160816; b=u6gpZVanvE4jZuvyXbXv3s5dU3ZPqn5gCkbpLNjzjagHMDxO0m6uRLX2Mxrk7eIAT+ /7AQf6gAIKG0Nw5Ff4WfLfz7Cu9kBlJcalSoMfA6BdlxIsLuiuGoNZtf1HyCkegI7ktd 2xJmIt02SFKkcZ8xDUbueKs6iLSxnLvnbzX2mf42KyBtBcH8ldUsb+Qc7SSu2tv6j9bi idf4QtcDAZFBnaNmhc4b57At45z0PBW1CzRkjfF810S7amxkqt4dZ/Ye7qMwGx6X6Q7W J+zGN+HExSOrKHC/mhw3bw67ncyZsxGieLqYv9Xzj/o54x9/aYHiN8rEfFMWQSqtsNX9 LDtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=+oJ8BSy2TIsBbi5FIl3mJEoaa0aPFkHwEL2Wyh8P8G0=; b=GrzBg0dXwARzGfQQ1HF1sFq3MvUQR25skABiee1xOPGmlcKmRrJX/RYUg8qgL//UnP 5OYUeivBTL2la7wWfpQWXPoYy0sR6ndhp4K+DMVEejAqd6VoopKuNk7I5yBWPZhBpUjj wQ+NmNN7KfW6TS0+EK6YEyCFvblbAGI6orvS+r0TduNSg0nFkFBGS5fYknHDAiEzj6sD SW+V9Y6gie0fI5oLklcO76Bvcmo2C5PBEj2+D8gEItQ4R2+89zA6tu6URncn0cKRiBM7 sXQw83s3+Ve+jowqUOPCLhwUTUDFgVUyHTlj2CmwOU2e+wDmHu5f/rKV0wv0kL9vu3Vd kO3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=VS6RN4qB; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j188si18876811jac.58.2021.05.11.19.24.12; Tue, 11 May 2021 19:24:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=VS6RN4qB; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229934AbhELCYP (ORCPT + 99 others); Tue, 11 May 2021 22:24:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41262 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229932AbhELCYP (ORCPT ); Tue, 11 May 2021 22:24:15 -0400 Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C5322C061574 for ; Tue, 11 May 2021 19:23:06 -0700 (PDT) Received: by mail-ed1-x52e.google.com with SMTP id r11so1162394edt.13 for ; Tue, 11 May 2021 19:23:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+oJ8BSy2TIsBbi5FIl3mJEoaa0aPFkHwEL2Wyh8P8G0=; b=VS6RN4qBOxbluO2QWol6GCo4daCDaItudgLsB+OEANLMyIt1uybqai74e6oR0dxNuc FS80JG2/mzZjrZURSUWh74uA7Ti0mwzrQ16JAqEsOtwD4oTcb/cp3YGdUTB82gTF0umO ZSIGD6BA9LIV4zE6UnN79R8HFXuu8ABQUAvven039qpZ34kzVggJ+GD0d5Zx+coHvCh+ dk2YlHJml/OuO3BGQk7LlCiPxVFaZvtUX6JOPXRGfbluoPlETfLedkjiri4r5Us4YirS o2E+h4OadntOnLbAFuX5/pAjjB1QyH4T/alYwgJdyRWwY2iz1TIAT6atdDPC26zReVcx vMSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+oJ8BSy2TIsBbi5FIl3mJEoaa0aPFkHwEL2Wyh8P8G0=; b=aytU2ClmeefCvudC+LLu2ym+YAruefZE/mx2jrkFBhmXUcbpbZo4CYgo9IOhESe8D+ Lu0Gk8IFhxwRrpqe3xJm0nirNKwhochXtk3o5zx3ItTpZB7DAlEi6kEQROU6qTNszXeJ c2LvvWKTa2aerolcg7KQU7t0P0YJnhh3Jo59Zv7OcKrQ5a3f+okakgTvT9Lpd0wdSNez ErNVQdwe8ApG01SDdNXdxCfB7lPWfk+Tqw5au0lEXfcyZmAUE8Q/lUiNCjakIIC7NQvj qIzYkzJdD0rA3z2a7lYsGjsi6MmqD8pZa3z9if+CjmDi/9WWU7ijcPKWEHV9IKAMiyr+ EeRg== X-Gm-Message-State: AOAM5323XdPwWNAxiIMVIFVaGDC0gj19f9ln6wWptJST55XeZ7eQ4iob tcw/FJhc3VvgTr21xw9w4boFVePWP4i7qw6q3mtNiu7IpsVgMg== X-Received: by 2002:a05:6402:3553:: with SMTP id f19mr39334411edd.167.1620786185159; Tue, 11 May 2021 19:23:05 -0700 (PDT) MIME-Version: 1.0 References: <20210511152807.Bluez.v1.1.I6d2ab6907d9a84fa62ac8a39daef5bef7ff545d5@changeid> In-Reply-To: From: Yun-hao Chung Date: Wed, 12 May 2021 10:22:54 +0800 Message-ID: Subject: Re: [Bluez PATCH v1] monitor: Fix possible crash of rfcomm packet To: Luiz Augusto von Dentz Cc: "linux-bluetooth@vger.kernel.org" , ChromeOS Bluetooth Upstreaming , Yun-Hao Chung , Archie Pusaka Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org On Wed, May 12, 2021 at 2:04 AM Luiz Augusto von Dentz wrote: > > Hi Howard, > > On Tue, May 11, 2021 at 12:28 AM Howard Chung wrote: > > > > From: Yun-Hao Chung > > > > When RFCOMM_TEST_EA returns false, btmon assumes packet data has at > > least 5 bytes long. If that assumption fails, btmon could crash when > > trying to read the next byte. > > This patch fix it by checking the remaining size before reading the last > > byte. > > > > Reviewed-by: apusaka@chromium.org > > --- > > > > monitor/rfcomm.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/monitor/rfcomm.c b/monitor/rfcomm.c > > index 9b88a3440e31..76b1123bb23d 100644 > > --- a/monitor/rfcomm.c > > +++ b/monitor/rfcomm.c > > @@ -452,6 +452,9 @@ void rfcomm_packet(const struct l2cap_frame *frame) > > hdr.length = GET_LEN16(hdr.length); > > } > > > > + if (l2cap_frame->size == 0) > > + goto fail; > > + > > if (!l2cap_frame->size) will do. > > > > > l2cap_frame_pull(&tmp_frame, l2cap_frame, l2cap_frame->size-1); > > Or perhaps we can make l2cap_frame_pull check if it can really pull > the frame and return false if it doesn't just as get_*. IMO, this might not be the best solution. Since |len|l in 2cap_frame_pull is uint16_t, when l2cap_frame->size-1 overflows it might confuse people. > > > > > if (!l2cap_frame_get_u8(&tmp_frame, &hdr.fcs)) > > -- > > 2.31.1.607.g51e8a6a459-goog > > > > > -- > Luiz Augusto von Dentz