monitor: Check length when decoding extended LMP opcodes

author: Marcel Holtmann <marcel@holtmann.org> 2015-10-20 22:07:19 +0200
committer: Marcel Holtmann <marcel@holtmann.org> 2015-10-20 22:07:19 +0200
commit: e97975afd1e051d77acd870b4f0736b7aac5f60d (patch)
tree: 451ddda17dd8bbe821994247eef3079d49de74b3 /monitor/lmp.c
parent: c6655ce871d4c963c11cab5408fab74e12bfc008 (diff)
download: bluez-e97975afd1e051d77acd870b4f0736b7aac5f60d.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/monitor/lmp.c b/monitor/lmp.c
index d246776a1..e7e6b25fc 100644
--- a/monitor/lmp.c
+++ b/monitor/lmp.c
@@ -852,6 +852,11 @@ void lmp_packet(const void *data, uint8_t size, bool padded)
 
 	switch (opcode) {
 	case 127:
+		if (size < 2) {
+			print_text(COLOR_ERROR, "extended opcode too short");
+			packet_hexdump(data, size);
+			return;
+		}
 		opcode = LMP_ESC4(((const uint8_t *) data)[1]);
 		off = 2;
 		break;
author	Marcel Holtmann <marcel@holtmann.org>	2015-10-20 22:07:19 +0200
committer	Marcel Holtmann <marcel@holtmann.org>	2015-10-20 22:07:19 +0200
commit	e97975afd1e051d77acd870b4f0736b7aac5f60d (patch)
tree	451ddda17dd8bbe821994247eef3079d49de74b3 /monitor/lmp.c
parent	c6655ce871d4c963c11cab5408fab74e12bfc008 (diff)
download	bluez-e97975afd1e051d77acd870b4f0736b7aac5f60d.tar.gz