btmon: fix segfault caused by buffer overflow

Buffer overflow vulnerability in monitor/sdp.c SDP continuation handling
caused btmon to crash. This happens in global static buffer which makes
it non-trivial to exploit.

This is nasty bug in a way that this can be triggered also over the air
by sending malformed SDP Search Attribute request to device running
btmon.

This crash was foung by fuzzing btmon with AFL. Seems to be reproducible
also with Synopsys Defensics SDP Server suite.

Change-Id: Ie149945cd95f6686183944e358cf25b485c769c4
Signed-off-by: himanshu <h.himanshu@samsung.com>

diff --git a/monitor/sdp.c b/monitor/sdp.c
index 3fa85c0..ac346d8 100755 (executable)
--- a/monitor/sdp.c
+++ b/monitor/sdp.c
@@ -43,12 +43,13 @@
 #include "sdp.h"
 
 #define MAX_TID 16
+#define MAX_CONT_SIZE 17
 
 struct tid_data {
        bool inuse;
        uint16_t tid;
        uint16_t channel;
-       uint8_t cont[17];
+       uint8_t cont[MAX_CONT_SIZE];
 };
 
 static struct tid_data tid_list[MAX_TID];
@@ -410,6 +411,10 @@ static void print_continuation(const uint8_t *data, uint16_t size)
 static void store_continuation(struct tid_data *tid,
                                        const uint8_t *data, uint16_t size)
 {
+       if (size > MAX_CONT_SIZE) {
+               print_text(COLOR_ERROR, "invalid continuation size");
+               return;
+       }
        memcpy(tid->cont, data, size);
        print_continuation(data, size);
 }