Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
bluez.10088
0007-btmon-fix-segfault-caused-by-integer-under...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0007-btmon-fix-segfault-caused-by-integer-underflow.patch of Package bluez.10088
From 8da5f210c47832404f01c5d059c4956e745b858b Mon Sep 17 00:00:00 2001 From: Matias Karhumaa <matias.karhumaa@gmail.com> Date: Tue, 16 Oct 2018 23:22:42 +0300 Subject: [PATCH 07/13] btmon: fix segfault caused by integer underflow Fix segfault caused by integer underflow in set_event_filter_cmd(). Fix is to check that size is big enough before subtracting to prevent underflow. Crash was found by fuzzing btmon with AFL. --- monitor/packet.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) Index: bluez-5.48/monitor/packet.c =================================================================== --- bluez-5.48.orig/monitor/packet.c +++ bluez-5.48/monitor/packet.c @@ -4791,6 +4791,10 @@ static void set_event_filter_cmd(const v break; case 0x01: + if (size < 2) { + print_text(COLOR_ERROR, " invalid parameter size"); + break; + } filter = *((const uint8_t *) (data + 1)); switch (filter) { @@ -4830,11 +4834,21 @@ static void set_event_filter_cmd(const v break; } + if (size < 2) { + print_text(COLOR_ERROR, " invalid parameter size"); + break; + } + print_field("Filter: %s (0x%2.2x)", str, filter); packet_hexdump(data + 2, size - 2); break; default: + if (size < 2) { + print_text(COLOR_ERROR, " invalid parameter size"); + break; + } + filter = *((const uint8_t *) (data + 1)); print_field("Filter: Reserved (0x%2.2x)", filter);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor