From 98bee47cca1b8a6b17bb0178f951fe7902abc2f0 Mon Sep 17 00:00:00 2001
From: "Cho, Yu-Chen" <acho@suse.com>
Date: Wed, 24 Apr 2019 16:10:56 +0800
Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet

Do not allow to read more than allocated data buffer size.
Because of the buffer is malloc(HCI_MAX_FRAME_SIZE),
so there is heap buffer overflow if read the size more than
HCI_MAX_FRAME_SIZE and fd size is larger than HCI_MAX_FRAME_SIZE.
---
 tools/hcidump.c | 9 +++++++++
 1 file changed, 9 insertions(+)

Index: bluez-5.60/tools/hcidump.c
===================================================================
--- bluez-5.60.orig/tools/hcidump.c
+++ bluez-5.60/tools/hcidump.c
@@ -92,6 +92,15 @@ struct pktlog_hdr {
 static inline int read_n(int fd, char *buf, int len)
 {
 	int t = 0, w;
+	off_t fsize, currentpos, startpos;
+
+	currentpos = lseek(fd, 0, SEEK_CUR);
+	fsize = lseek(fd, 0, SEEK_END);
+	lseek(fd, currentpos, SEEK_SET);
+	fsize -= currentpos;
+
+	if (fsize > HCI_MAX_FRAME_SIZE && len > HCI_MAX_FRAME_SIZE)
+		return -1;
 
 	while (len > 0) {
 		if ((w = read(fd, buf, len)) < 0) {