[Bluez,v2] monitor: Fix possible crash of rfcomm packet

Message ID	20210512103550.Bluez.v2.1.I6d2ab6907d9a84fa62ac8a39daef5bef7ff545d5@changeid (mailing list archive)
State	Accepted
Delegated to:	Luiz Von Dentz
Headers	show Return-Path: <linux-bluetooth-owner@kernel.org> Date: Wed, 12 May 2021 10:36:06 +0800 Message-Id: <20210512103550.Bluez.v2.1.I6d2ab6907d9a84fa62ac8a39daef5bef7ff545d5@changeid> Mime-Version: 1.0 Subject: [Bluez PATCH v2] monitor: Fix possible crash of rfcomm packet From: Howard Chung <howardchung@google.com> To: linux-bluetooth@vger.kernel.org, luiz.dentz@gmail.com Cc: chromeos-bluetooth-upstreaming@chromium.org, Yun-Hao Chung <howardchung@chromium.org>, apusaka@chromium.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk
Series	[Bluez,v2] monitor: Fix possible crash of rfcomm packet \| expand [Bluez,v2] monitor: Fix possible crash of rfcomm packet

Message ID

20210512103550.Bluez.v2.1.I6d2ab6907d9a84fa62ac8a39daef5bef7ff545d5@changeid (mailing list archive)

State

Accepted

Delegated to:

Luiz Von Dentz

Headers

Date: Wed, 12 May 2021 10:36:06 +0800
Message-Id: 
 <20210512103550.Bluez.v2.1.I6d2ab6907d9a84fa62ac8a39daef5bef7ff545d5@changeid>
Mime-Version: 1.0
Subject: [Bluez PATCH v2] monitor: Fix possible crash of rfcomm packet
From: Howard Chung <howardchung@google.com>
To: linux-bluetooth@vger.kernel.org, luiz.dentz@gmail.com
Cc: chromeos-bluetooth-upstreaming@chromium.org,
        Yun-Hao Chung <howardchung@chromium.org>, apusaka@chromium.org
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

Series

[Bluez,v2] monitor: Fix possible crash of rfcomm packet | expand

Commit Message

Yun-hao Chung May 12, 2021, 2:36 a.m. UTC

From: Yun-Hao Chung <howardchung@chromium.org>

When RFCOMM_TEST_EA returns false, btmon assumes packet data has at
least 5 bytes long. If that assumption fails, btmon could crash when
trying to read the next byte.
This patch fix it by checking the remaining size before reading the last
byte.

Reviewed-by: apusaka@chromium.org
---

Changes in v2:
- Rewrite the if statement

 monitor/rfcomm.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

bluez.test.bot@gmail.com May 12, 2021, 3:20 a.m. UTC | #1

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=480831

---Test result---

Test Summary:
CheckPatch                    PASS      0.33 seconds
GitLint                       PASS      0.13 seconds
Prep - Setup ELL              PASS      49.08 seconds
Build - Prep                  PASS      0.14 seconds
Build - Configure             PASS      8.39 seconds
Build - Make                  PASS      215.02 seconds
Make Check                    PASS      9.33 seconds
Make Dist                     PASS      12.62 seconds
Make Dist - Configure         PASS      5.15 seconds
Make Dist - Make              PASS      87.51 seconds
Build w/ext ELL - Configure   PASS      8.44 seconds
Build w/ext ELL - Make        PASS      201.74 seconds

Details
##############################
Test: CheckPatch - PASS
Desc: Run checkpatch.pl script with rule in .checkpatch.conf

##############################
Test: GitLint - PASS
Desc: Run gitlint with rule in .gitlint

##############################
Test: Prep - Setup ELL - PASS
Desc: Clone, build, and install ELL

##############################
Test: Build - Prep - PASS
Desc: Prepare environment for build

##############################
Test: Build - Configure - PASS
Desc: Configure the BlueZ source tree

##############################
Test: Build - Make - PASS
Desc: Build the BlueZ source tree

##############################
Test: Make Check - PASS
Desc: Run 'make check'

##############################
Test: Make Dist - PASS
Desc: Run 'make dist' and build the distribution tarball

##############################
Test: Make Dist - Configure - PASS
Desc: Configure the source from distribution tarball

##############################
Test: Make Dist - Make - PASS
Desc: Build the source from distribution tarball

##############################
Test: Build w/ext ELL - Configure - PASS
Desc: Configure BlueZ source with '--enable-external-ell' configuration

##############################
Test: Build w/ext ELL - Make - PASS
Desc: Build BlueZ source with '--enable-external-ell' configuration



---
Regards,
Linux Bluetooth

Luiz Augusto von Dentz May 13, 2021, 9:14 p.m. UTC | #2

Hi Yun,

On Tue, May 11, 2021 at 8:21 PM <bluez.test.bot@gmail.com> wrote:
>
> This is automated email and please do not reply to this email!
>
> Dear submitter,
>
> Thank you for submitting the patches to the linux bluetooth mailing list.
> This is a CI test results with your patch series:
> PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=480831
>
> ---Test result---
>
> Test Summary:
> CheckPatch                    PASS      0.33 seconds
> GitLint                       PASS      0.13 seconds
> Prep - Setup ELL              PASS      49.08 seconds
> Build - Prep                  PASS      0.14 seconds
> Build - Configure             PASS      8.39 seconds
> Build - Make                  PASS      215.02 seconds
> Make Check                    PASS      9.33 seconds
> Make Dist                     PASS      12.62 seconds
> Make Dist - Configure         PASS      5.15 seconds
> Make Dist - Make              PASS      87.51 seconds
> Build w/ext ELL - Configure   PASS      8.44 seconds
> Build w/ext ELL - Make        PASS      201.74 seconds
>
> Details
> ##############################
> Test: CheckPatch - PASS
> Desc: Run checkpatch.pl script with rule in .checkpatch.conf
>
> ##############################
> Test: GitLint - PASS
> Desc: Run gitlint with rule in .gitlint
>
> ##############################
> Test: Prep - Setup ELL - PASS
> Desc: Clone, build, and install ELL
>
> ##############################
> Test: Build - Prep - PASS
> Desc: Prepare environment for build
>
> ##############################
> Test: Build - Configure - PASS
> Desc: Configure the BlueZ source tree
>
> ##############################
> Test: Build - Make - PASS
> Desc: Build the BlueZ source tree
>
> ##############################
> Test: Make Check - PASS
> Desc: Run 'make check'
>
> ##############################
> Test: Make Dist - PASS
> Desc: Run 'make dist' and build the distribution tarball
>
> ##############################
> Test: Make Dist - Configure - PASS
> Desc: Configure the source from distribution tarball
>
> ##############################
> Test: Make Dist - Make - PASS
> Desc: Build the source from distribution tarball
>
> ##############################
> Test: Build w/ext ELL - Configure - PASS
> Desc: Configure BlueZ source with '--enable-external-ell' configuration
>
> ##############################
> Test: Build w/ext ELL - Make - PASS
> Desc: Build BlueZ source with '--enable-external-ell' configuration
>
>
>
> ---
> Regards,
> Linux Bluetooth

Applied, thanks.

diff --git a/monitor/rfcomm.c b/monitor/rfcomm.c
index 9b88a3440e31..3eb19faf0297 100644
--- a/monitor/rfcomm.c
+++ b/monitor/rfcomm.c
@@ -452,6 +452,9 @@  void rfcomm_packet(const struct l2cap_frame *frame)
 		hdr.length = GET_LEN16(hdr.length);
 	}
 
+	if (!l2cap_frame->size)
+		goto fail;
+
 	l2cap_frame_pull(&tmp_frame, l2cap_frame, l2cap_frame->size-1);
 
 	if (!l2cap_frame_get_u8(&tmp_frame, &hdr.fcs))