From c3d4ca78385dccd5daf49444605a5a8363a6e84b Mon Sep 17 00:00:00 2001
From: Matias Karhumaa <matias.karhumaa@gmail.com>
Date: Tue, 16 Oct 2018 23:20:08 +0300
Subject: [PATCH] btmon: fix segfault caused by buffer over-read

Fix segmentation fault caused by buffer over-read in packet_ctrl_open().

Fix is to check that ident_len is not bigger than size.

This bug was found by fuzzing btmon with AFL.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000419e88 in packet_hexdump (buf=0x7fffffffda7e "22", len=<optimized out>) at monitor/packet.c:3813
3813			str[((i % 16) * 3) + 1] = hexdigits[buf[i] & 0xf];
(gdb) bt
 #0  0x0000000000419e88 in packet_hexdump (buf=0x7fffffffda7e "22", len=<optimized out>) at monitor/packet.c:3813
 #1  0x000000000041eda4 in packet_ctrl_open (tv=<optimized out>, cred=<optimized out>, index=<optimized out>, data=0x7fffffffda7e, size=<optimized out>) at monitor/packet.c:10286
 #2  0x000000000041b193 in packet_monitor (tv=0x7fffffffda50, cred=<optimized out>, index=65535, opcode=<optimized out>, data=0x7fffffffda60, size=14) at monitor/packet.c:3957
 #3  0x000000000040e177 in control_reader (path=<optimized out>, pager=true) at monitor/control.c:1462
 #4  0x0000000000403b00 in main (argc=<optimized out>, argv=<optimized out>) at monitor/main.c:243
(gdb)
---
 monitor/packet.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/monitor/packet.c b/monitor/packet.c
index 2b58a47da..219070e06 100644
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -10273,6 +10273,12 @@ void packet_ctrl_open(struct timeval *tv, struct ucred *cred, uint16_t index,
 		flags = get_le32(data + 3);
 		ident_len = get_u8(data + 7);
 
+		if (ident_len > size) {
+			print_packet(tv, cred, '*', index, NULL, COLOR_ERROR,
+                                "Malformed Control Open packet", NULL, NULL);
+			return;
+		}
+
 		data += 8;
 		size -= 8;