Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.4:ARM
bluez.25899
hcidump-Fix-memory-leak-with-malformed-packet.p...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File hcidump-Fix-memory-leak-with-malformed-packet.patch of Package bluez.25899
From 98bee47cca1b8a6b17bb0178f951fe7902abc2f0 Mon Sep 17 00:00:00 2001 From: "Cho, Yu-Chen" <acho@suse.com> Date: Wed, 24 Apr 2019 16:10:56 +0800 Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet Do not allow to read more than allocated data buffer size. Because of the buffer is malloc(HCI_MAX_FRAME_SIZE), so there is heap buffer overflow if read the size more than HCI_MAX_FRAME_SIZE and fd size is larger than HCI_MAX_FRAME_SIZE. --- tools/hcidump.c | 9 +++++++++ 1 file changed, 9 insertions(+) Index: bluez-5.48/tools/hcidump.c =================================================================== --- bluez-5.48.orig/tools/hcidump.c +++ bluez-5.48/tools/hcidump.c @@ -104,6 +104,15 @@ struct pktlog_hdr { static inline int read_n(int fd, char *buf, int len) { int t = 0, w; + off_t fsize, currentpos, startpos; + + currentpos = lseek(fd, 0, SEEK_CUR); + fsize = lseek(fd, 0, SEEK_END); + lseek(fd, currentpos, SEEK_SET); + fsize -= currentpos; + + if (fsize > HCI_MAX_FRAME_SIZE && len > HCI_MAX_FRAME_SIZE) + return -1; while (len > 0) { if ((w = read(fd, buf, len)) < 0) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor