Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:Update
bluez.25899
0002-btmon-fix-segfault-caused-by-buffer-over-r...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0002-btmon-fix-segfault-caused-by-buffer-over-read.patch of Package bluez.25899
From c3d4ca78385dccd5daf49444605a5a8363a6e84b Mon Sep 17 00:00:00 2001 From: Matias Karhumaa <matias.karhumaa@gmail.com> Date: Tue, 16 Oct 2018 23:20:08 +0300 Subject: [PATCH 02/13] btmon: fix segfault caused by buffer over-read Fix segmentation fault caused by buffer over-read in packet_ctrl_open(). Fix is to check that ident_len is not bigger than size. This bug was found by fuzzing btmon with AFL. Program received signal SIGSEGV, Segmentation fault. 0x0000000000419e88 in packet_hexdump (buf=0x7fffffffda7e "22", len=<optimized out>) at monitor/packet.c:3813 3813 str[((i % 16) * 3) + 1] = hexdigits[buf[i] & 0xf]; (gdb) bt #0 0x0000000000419e88 in packet_hexdump (buf=0x7fffffffda7e "22", len=<optimized out>) at monitor/packet.c:3813 #1 0x000000000041eda4 in packet_ctrl_open (tv=<optimized out>, cred=<optimized out>, index=<optimized out>, data=0x7fffffffda7e, size=<optimized out>) at monitor/packet.c:10286 #2 0x000000000041b193 in packet_monitor (tv=0x7fffffffda50, cred=<optimized out>, index=65535, opcode=<optimized out>, data=0x7fffffffda60, size=14) at monitor/packet.c:3957 #3 0x000000000040e177 in control_reader (path=<optimized out>, pager=true) at monitor/control.c:1462 #4 0x0000000000403b00 in main (argc=<optimized out>, argv=<optimized out>) at monitor/main.c:243 (gdb) --- monitor/packet.c | 6 ++++++ 1 file changed, 6 insertions(+) Index: bluez-5.48/monitor/packet.c =================================================================== --- bluez-5.48.orig/monitor/packet.c +++ bluez-5.48/monitor/packet.c @@ -10354,6 +10354,12 @@ void packet_ctrl_open(struct timeval *tv flags = get_le32(data + 3); ident_len = get_u8(data + 7); + if (ident_len > size) { + print_packet(tv, cred, '*', index, NULL, COLOR_ERROR, + "Malformed Control Open packet", NULL, NULL); + return; + } + data += 8; size -= 8;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor