bartoszek/zephyr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bluetooth: Host: Fix assert in L2CAP ECRED connection response

Browse Source 
In the case that the peer responds with fewer dcid values than the
number of scid values in the connection request, we would assert or read
past the end of the buffer.

Signed-off-by: Herman Berget <herman.berget@nordicsemi.no>
This commit is contained in:
Herman Berget 2022-04-13 16:49:53 +02:00 committed by Marti Bolivar
parent cfad60d4dd
commit 97d64cf104
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
subsys/bluetooth/host/l2cap.c
View File

@ -1564,6 +1564,13 @@ static void le_ecred_conn_rsp(struct bt_l2cap *l2cap, uint8_t ident,
/* Cancel RTX work */
k_work_cancel_delayable(&chan->rtx_work);
if (buf->len < sizeof(dcid)) {
BT_ERR("Fewer dcid values than expected");
bt_l2cap_chan_remove(conn, &chan->chan);
bt_l2cap_chan_del(&chan->chan);
continue;
}
dcid = net_buf_pull_le16(buf);
attempted++;