BlueZ hcidump <= 1.29 L2CAP Length Field DoS

Discoverer: Pierre Betouin (pierre.betouin@infratech.fr)

The hcidump tool that accompanies the official Linux Bluetooth stack BlueZ
is vulnerable to a denial of service attack when parsing malformed L2CAP
frames with an invalid header length.

The BlueZ hcidump tool does not do a proper bounds check on the
L2CAP HEADER LENGTH field, allowing an attacker cause hcidump to
reference an invalid memory address that leads to a segment fault.
It is not know if this vulnerability is exploitable beyond a denial
of service attack. All versions of hcidump are believed to be
vulnerable up to an including version 1.29.