34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
From 98bee47cca1b8a6b17bb0178f951fe7902abc2f0 Mon Sep 17 00:00:00 2001
|
|
From: "Cho, Yu-Chen" <acho@suse.com>
|
|
Date: Wed, 24 Apr 2019 16:10:56 +0800
|
|
Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet
|
|
|
|
Do not allow to read more than allocated data buffer size.
|
|
Because of the buffer is malloc(HCI_MAX_FRAME_SIZE),
|
|
so there is heap buffer overflow if read the size more than
|
|
HCI_MAX_FRAME_SIZE and fd size is larger than HCI_MAX_FRAME_SIZE.
|
|
---
|
|
tools/hcidump.c | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
Index: bluez-5.60/tools/hcidump.c
|
|
===================================================================
|
|
--- bluez-5.60.orig/tools/hcidump.c
|
|
+++ bluez-5.60/tools/hcidump.c
|
|
@@ -92,6 +92,15 @@ struct pktlog_hdr {
|
|
static inline int read_n(int fd, char *buf, int len)
|
|
{
|
|
int t = 0, w;
|
|
+ off_t fsize, currentpos, startpos;
|
|
+
|
|
+ currentpos = lseek(fd, 0, SEEK_CUR);
|
|
+ fsize = lseek(fd, 0, SEEK_END);
|
|
+ lseek(fd, currentpos, SEEK_SET);
|
|
+ fsize -= currentpos;
|
|
+
|
|
+ if (fsize > HCI_MAX_FRAME_SIZE && len > HCI_MAX_FRAME_SIZE)
|
|
+ return -1;
|
|
|
|
while (len > 0) {
|
|
if ((w = read(fd, buf, len)) < 0) {
|