From 39a3dee29d673a007ffd88161b46fde3ee02af40 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Fri, 12 Mar 2021 09:32:55 -0800 Subject: [PATCH] Bluetooth: L2CAP: Fix not checking for L2CAP_ECRED_CHAN_MAX When receiving L2CAP_CREDIT_BASED_CONNECTION_REQ the remote may request more channels than allowed so this checks if amount of channel surpasses the maximum channels (5) and return an error. Signed-off-by: Luiz Augusto von Dentz --- subsys/bluetooth/host/l2cap.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/subsys/bluetooth/host/l2cap.c b/subsys/bluetooth/host/l2cap.c index 99c24778072..523d6f486eb 100644 --- a/subsys/bluetooth/host/l2cap.c +++ b/subsys/bluetooth/host/l2cap.c @@ -1107,6 +1107,13 @@ static void le_ecred_conn_req(struct bt_l2cap *l2cap, uint8_t ident, } req = net_buf_pull_mem(buf, sizeof(*req)); + + if (buf->len > sizeof(dcid)) { + BT_ERR("Too large LE conn req packet size"); + result = BT_L2CAP_LE_ERR_INVALID_PARAMS; + goto response; + } + psm = sys_le16_to_cpu(req->psm); mtu = sys_le16_to_cpu(req->mtu); mps = sys_le16_to_cpu(req->mps);