Fix segfault caused by integer underflow in set_event_filter_cmd().
Fix is to check that size is big enough before subtracting to prevent
underflow.
Crash was found by fuzzing btmon with AFL.
---
monitor/packet.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/monitor/packet.c b/monitor/packet.c
index abdc18aa2..461f5e84b 100644
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -4726,6 +4726,10 @@ static void set_event_filter_cmd(const void *data, uint8_t size)
break;
case 0x01:
+ if (size < 2) {
+ print_text(COLOR_ERROR, " invalid parameter size");
+ break;
+ }
filter = *((const uint8_t *) (data + 1));
switch (filter) {
@@ -4765,11 +4769,21 @@ static void set_event_filter_cmd(const void *data, uint8_t size)
break;
}
+ if (size < 2) {
+ print_text(COLOR_ERROR, " invalid parameter size");
+ break;
+ }
+
print_field("Filter: %s (0x%2.2x)", str, filter);
packet_hexdump(data + 2, size - 2);
break;
default:
+ if (size < 2) {
+ print_text(COLOR_ERROR, " invalid parameter size");
+ break;
+ }
+
filter = *((const uint8_t *) (data + 1));
print_field("Filter: Reserved (0x%2.2x)", filter);
--
2.17.1
