btmon: fix segfault caused by integer undeflow

Fix segfault caused by integer underflow. Fix is to check that
rsp->num_codecs + 3 is not bigger than size before subtracting.

Crash was found by fuzzing btmon with AFL.

Change-Id: I9af6ee12b4bf58d33ee81412ddd6c47ef49acac8
Signed-off-by: himanshu <h.himanshu@samsung.com>

diff --git a/monitor/packet.c b/monitor/packet.c
index bb9a092..31b3169 100755 (executable)
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -5975,6 +5975,11 @@ static void read_local_codecs_rsp(const void *data, uint8_t size)
        const struct bt_hci_rsp_read_local_codecs *rsp = data;
        uint8_t i, num_vnd_codecs;
 
+       if (rsp->num_codecs + 3 > size) {
+               print_field("Invalid number of codecs.");
+               return;
+       }
+
        print_status(rsp->status);
        print_field("Number of supported codecs: %d", rsp->num_codecs);