diff options
| author | Matias Karhumaa <matias.karhumaa@gmail.com> | 2018-10-16 23:24:15 +0300 |
|---|---|---|
| committer | Johan Hedberg <johan.hedberg@intel.com> | 2018-10-18 19:10:26 +0300 |
| commit | b9085d74f19f693a91db85f3ac4be271e02e97af (patch) | |
| tree | eb6dd481c17dd119d13cecf78f12313fe6fb5591 /monitor/sdp.c | |
| parent | e63175ecf66f682721f2ba0337f65330aa798744 (diff) | |
| download | bluez-b9085d74f19f693a91db85f3ac4be271e02e97af.tar.gz | |
btmon: fix segfault caused by buffer overflow
Buffer overflow vulnerability in monitor/sdp.c SDP continuation handling
caused btmon to crash. This happens in global static buffer which makes
it non-trivial to exploit.
This is nasty bug in a way that this can be triggered also over the air
by sending malformed SDP Search Attribute request to device running
btmon.
This crash was foung by fuzzing btmon with AFL. Seems to be reproducible
also with Synopsys Defensics SDP Server suite.
Diffstat (limited to 'monitor/sdp.c')
| -rw-r--r-- | monitor/sdp.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/monitor/sdp.c b/monitor/sdp.c index 96fbeb864..df5ccdb71 100644 --- a/monitor/sdp.c +++ b/monitor/sdp.c @@ -43,12 +43,13 @@ #include "sdp.h" #define MAX_TID 16 +#define MAX_CONT_SIZE 17 struct tid_data { bool inuse; uint16_t tid; uint16_t channel; - uint8_t cont[17]; + uint8_t cont[MAX_CONT_SIZE]; }; static struct tid_data tid_list[MAX_TID]; @@ -410,6 +411,10 @@ static void print_continuation(const uint8_t *data, uint16_t size) static void store_continuation(struct tid_data *tid, const uint8_t *data, uint16_t size) { + if (size > MAX_CONT_SIZE) { + print_text(COLOR_ERROR, "invalid continuation size"); + return; + } memcpy(tid->cont, data, size); print_continuation(data, size); } |