A buffer overflow was found in the commands_dump() function in tools/parser/csr.c source file of bluez. The issue exists because "commands" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame "frm->ptr" parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. Original report: https://www.spinics.net/lists/linux-bluetooth/msg68892.html
Created bluez tracking bugs for this issue: Affects: fedora-all [bug 1401548]