Commit 75767213 authored by Sungwoo Kim's avatar Sungwoo Kim Committed by Luiz Augusto von Dentz
Browse files

Bluetooth: L2CAP: Add missing checks for invalid DCID 



When receiving a connect response we should make sure that the DCID is
within the valid range and that we don't already have another channel
allocated for the same DCID.
Missing checks may violate the specification (BLUETOOTH CORE SPECIFICATION
Version 5.4 | Vol 3, Part A, Page 1046).

Fixes: 40624183 ("Bluetooth: L2CAP: Add missing checks for invalid LE DCID")
Signed-off-by: default avatarSungwoo Kim <iam@sung-woo.kim>
Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
parent 71e95884

net/bluetooth/l2cap_core.c

+9 −0
Original line number Diff line number Diff line
@@ -4306,6 +4306,10 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, 
	result = __le16_to_cpu(rsp->result);

	status = __le16_to_cpu(rsp->status);



	if (result == L2CAP_CR_SUCCESS && (dcid < L2CAP_CID_DYN_START ||

					   dcid > L2CAP_CID_DYN_END))

		return -EPROTO;



	BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",

	       dcid, scid, result, status);
@@ -4337,6 +4341,11 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, 


	switch (result) {

	case L2CAP_CR_SUCCESS:

		if (__l2cap_get_chan_by_dcid(conn, dcid)) {

			err = -EBADSLT;

			break;

		}



		l2cap_state_change(chan, BT_CONFIG);

		chan->ident = 0;

		chan->dcid = dcid;