From: Yun-Hao Chung <howardchung@xxxxxxxxxxxx> When RFCOMM_TEST_EA returns false, btmon assumes packet data has at least 5 bytes long. If that assumption fails, btmon could crash when trying to read the next byte. This patch fix it by checking the remaining size before reading the last byte. Reviewed-by: apusaka@xxxxxxxxxxxx --- monitor/rfcomm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/monitor/rfcomm.c b/monitor/rfcomm.c index 9b88a3440e31..76b1123bb23d 100644 --- a/monitor/rfcomm.c +++ b/monitor/rfcomm.c @@ -452,6 +452,9 @@ void rfcomm_packet(const struct l2cap_frame *frame) hdr.length = GET_LEN16(hdr.length); } + if (l2cap_frame->size == 0) + goto fail; + l2cap_frame_pull(&tmp_frame, l2cap_frame, l2cap_frame->size-1); if (!l2cap_frame_get_u8(&tmp_frame, &hdr.fcs)) -- 2.31.1.607.g51e8a6a459-goog
