[PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Do not allow to read more than allocated data buffer size.
Because of the buffer is malloc(HCI_MAX_FRAME_SIZE),
so there is heap buffer overflow if read the size more than
HCI_MAX_FRAME_SIZE and fd size is larger than HCI_MAX_FRAME_SIZE.
---
 tools/hcidump.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tools/hcidump.c b/tools/hcidump.c
index 33d429b6c..6cc55404d 100644
--- a/tools/hcidump.c
+++ b/tools/hcidump.c
@@ -105,6 +105,15 @@ struct pktlog_hdr {
 static inline int read_n(int fd, char *buf, int len)
 {
 	int t = 0, w;
+	off_t fsize, currentpos, startpos;
+
+	currentpos = lseek(fd, 0, SEEK_CUR);
+	fsize = lseek(fd, 0, SEEK_END);
+	lseek(fd, currentpos, SEEK_SET);
+	fsize -= currentpos;
+
+	if (fsize > HCI_MAX_FRAME_SIZE && len > HCI_MAX_FRAME_SIZE)
+		return -1;
 
 	while (len > 0) {
 		if ((w = read(fd, buf, len)) < 0) {
-- 
2.21.0




[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux