From 473994979c2266d341947e69119ad76044974106 Mon Sep 17 00:00:00 2001
From: Matias Karhumaa <matias.karhumaa@gmail.com>
Date: Tue, 16 Oct 2018 23:22:16 +0300
Subject: [PATCH] btmon: fix multiple segfaults

Fix multiple segfaults caused by buffer over-read in packet_hci_command,
packet_hci_event and packet_hci_acldata. Fix is to check that index is
not bigger than MAX_INDEX before accessing index_list.

Crashes were found by fuzzing btmon with AFL.

Change-Id: Iaba0be9da71154eaeff3be86e8afa5eeb74dd354
Signed-off-by: himanshu <h.himanshu@samsung.com>
---
 monitor/packet.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/monitor/packet.c b/monitor/packet.c
index 10ee36b..3a290a0 100755
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -10186,13 +10186,17 @@ void packet_hci_command(struct timeval *tv, struct ucred *cred, uint16_t index,
 	char extra_str[25], vendor_str[150];
 	int i;
 
+	if (index > MAX_INDEX) {
+		print_field("Invalid index (%d).", index);
+		return;
+	}
+
 	index_list[index].frame++;
 
-	if (size < HCI_COMMAND_HDR_SIZE) {
+	if (size < HCI_COMMAND_HDR_SIZE || size > BTSNOOP_MAX_PACKET_SIZE) {
 		sprintf(extra_str, "(len %d)", size);
 		print_packet(tv, cred, '*', index, NULL, COLOR_ERROR,
 			"Malformed HCI Command packet", NULL, extra_str);
-		packet_hexdump(data, size);
 		return;
 	}
 
@@ -10289,6 +10293,12 @@ void packet_hci_event(struct timeval *tv, struct ucred *cred, uint16_t index,
 	char extra_str[25];
 	int i;
 
+	if (index > MAX_INDEX) {
+		print_field("Invalid index (%d).", index);
+		return;
+	}
+
+
 	index_list[index].frame++;
 
 	if (size < HCI_EVENT_HDR_SIZE) {
@@ -10363,6 +10373,11 @@ void packet_hci_acldata(struct timeval *tv, struct ucred *cred, uint16_t index,
 	uint8_t flags = acl_flags(handle);
 	char handle_str[16], extra_str[32];
 
+	if (index > MAX_INDEX) {
+		print_field("Invalid index (%d).", index);
+		return;
+	}
+
 	index_list[index].frame++;
 
 	if (size < HCI_ACL_HDR_SIZE) {
-- 
2.7.4