Commit e1d9a668 authored by Christian Eggers's avatar Christian Eggers Committed by Luiz Augusto von Dentz
Browse files

Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU 



Core 6.0, Vol 3, Part A, 3.4.3:
"If the SDU length field value exceeds the receiver's MTU, the receiver
shall disconnect the channel..."

This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P
0x0027 -V le_public -I 100').

Fixes: aac23bf6 ("Bluetooth: Implement LE L2CAP reassembly")
Signed-off-by: default avatarChristian Eggers <ceggers@arri.de>
Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
parent c38b8f5f

net/bluetooth/l2cap_core.c

+7 −3
Original line number Diff line number Diff line
@@ -6662,8 +6662,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) 
		return -ENOBUFS;

	}



	if (chan->imtu < skb->len) {

		BT_ERR("Too big LE L2CAP PDU");

	if (skb->len > chan->imtu) {

		BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len,

		       chan->imtu);

		l2cap_send_disconn_req(chan, ECONNRESET);

		return -ENOBUFS;

	}
@@ -6689,7 +6691,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) 
		       sdu_len, skb->len, chan->imtu);



		if (sdu_len > chan->imtu) {

			BT_ERR("Too big LE L2CAP SDU length received");

			BT_ERR("Too big LE L2CAP SDU length: len %u > %u",

			       skb->len, sdu_len);

			l2cap_send_disconn_req(chan, ECONNRESET);

			err = -EMSGSIZE;

			goto failed;

		}