bluez/hcidump-Fix-memory-leak-with-malformed-packet.patch

34 lines
1.1 KiB
Diff
Raw Permalink Normal View History

From 98bee47cca1b8a6b17bb0178f951fe7902abc2f0 Mon Sep 17 00:00:00 2001
From: "Cho, Yu-Chen" <acho@suse.com>
Date: Wed, 24 Apr 2019 16:10:56 +0800
Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet
Do not allow to read more than allocated data buffer size.
Because of the buffer is malloc(HCI_MAX_FRAME_SIZE),
so there is heap buffer overflow if read the size more than
HCI_MAX_FRAME_SIZE and fd size is larger than HCI_MAX_FRAME_SIZE.
---
tools/hcidump.c | 9 +++++++++
1 file changed, 9 insertions(+)
Index: bluez-5.60/tools/hcidump.c
===================================================================
--- bluez-5.60.orig/tools/hcidump.c
+++ bluez-5.60/tools/hcidump.c
@@ -92,6 +92,15 @@ struct pktlog_hdr {
static inline int read_n(int fd, char *buf, int len)
{
int t = 0, w;
+ off_t fsize, currentpos, startpos;
+
+ currentpos = lseek(fd, 0, SEEK_CUR);
+ fsize = lseek(fd, 0, SEEK_END);
+ lseek(fd, currentpos, SEEK_SET);
+ fsize -= currentpos;
+
+ if (fsize > HCI_MAX_FRAME_SIZE && len > HCI_MAX_FRAME_SIZE)
+ return -1;
while (len > 0) {
if ((w = read(fd, buf, len)) < 0) {