Commit 00e19507 authored May 26, 2026 by Zhenghang Xiao Committed by Luiz Augusto von Dentz May 28, 2026

Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success

l2cap_ecred_reconf_rsp() returns early on success without clearing
chan->ident. Every other L2CAP response handler (l2cap_ecred_conn_rsp,
l2cap_le_connect_rsp, l2cap_config_rsp) clears chan->ident after a
successful transaction to prevent the channel from matching subsequent
responses with the recycled ident value.

A remote attacker that completed a reconfiguration as the peer can
replay a failure response with the stale ident, causing the kernel to
match and destroy the already-established channel via
l2cap_chan_del(chan, ECONNRESET).

Clear chan->ident for all matching channels on success, and harden the
failure path by using l2cap_chan_hold_unless_zero() consistent with
other L2CAP handlers (l2cap_le_command_rej, __l2cap_get_chan_by_ident).

Fixes: 15f02b91 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

parent fa21e86c

net/bluetooth/l2cap_core.c

+8 −2

Original line number	Diff line number	Diff line
		@@ -5460,14 +5460,20 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,

		BT_DBG("result 0x%4.4x", result);

		if (!result)
		if (!result) {
		list_for_each_entry(chan, &conn->chan_l, list) {
		if (chan->ident == cmd->ident)
		chan->ident = 0;
		}
		return 0;
		}

		list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
		if (chan->ident != cmd->ident)
		continue;

		l2cap_chan_hold(chan);
		if (!l2cap_chan_hold_unless_zero(chan))
		continue;
		l2cap_chan_lock(chan);

		l2cap_chan_del(chan, ECONNRESET);