From: Yun-Hao Chung <howardchung@xxxxxxxxxxxx> When RFCOMM_TEST_EA returns false, btmon assumes packet data has at least 5 bytes long. If that assumption fails, btmon could crash when trying to read the next byte. This patch fix it by checking the remaining size before reading the last byte. Reviewed-by: apusaka@xxxxxxxxxxxx --- Changes in v2: - Rewrite the if statement monitor/rfcomm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/monitor/rfcomm.c b/monitor/rfcomm.c index 9b88a3440e31..3eb19faf0297 100644 --- a/monitor/rfcomm.c +++ b/monitor/rfcomm.c @@ -452,6 +452,9 @@ void rfcomm_packet(const struct l2cap_frame *frame) hdr.length = GET_LEN16(hdr.length); } + if (!l2cap_frame->size) + goto fail; + l2cap_frame_pull(&tmp_frame, l2cap_frame, l2cap_frame->size-1); if (!l2cap_frame_get_u8(&tmp_frame, &hdr.fcs)) -- 2.31.1.607.g51e8a6a459-goog
