monitor: Fix possible crash of rfcomm packet

When RFCOMM_TEST_EA returns false, btmon assumes packet data has at
least 5 bytes long. If that assumption fails, btmon could crash when
trying to read the next byte.
This patch fix it by checking the remaining size before reading the last
byte.

Reviewed-by: apusaka@chromium.org
Signed-off-by: Anuj Jain <anuj01.jain@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

diff --git a/monitor/rfcomm.c b/monitor/rfcomm.c
index 114025d..950d8fc 100755 (executable)
--- a/monitor/rfcomm.c
+++ b/monitor/rfcomm.c
@@ -451,6 +451,9 @@ void rfcomm_packet(const struct l2cap_frame *frame)
                hdr.length = GET_LEN16(hdr.length);
        }
 
+       if (!l2cap_frame->size)
+               goto fail;
+
        l2cap_frame_pull(&tmp_frame, l2cap_frame, l2cap_frame->size-1);
 
        if (!l2cap_frame_get_u8(&tmp_frame, &hdr.fcs))