From 97d64cf1044338c7d9f01184d72c4e26ddd2e63c Mon Sep 17 00:00:00 2001 From: Herman Berget Date: Wed, 13 Apr 2022 16:49:53 +0200 Subject: [PATCH] Bluetooth: Host: Fix assert in L2CAP ECRED connection response In the case that the peer responds with fewer dcid values than the number of scid values in the connection request, we would assert or read past the end of the buffer. Signed-off-by: Herman Berget --- subsys/bluetooth/host/l2cap.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/subsys/bluetooth/host/l2cap.c b/subsys/bluetooth/host/l2cap.c index 06934377324..524557fd338 100644 --- a/subsys/bluetooth/host/l2cap.c +++ b/subsys/bluetooth/host/l2cap.c @@ -1564,6 +1564,13 @@ static void le_ecred_conn_rsp(struct bt_l2cap *l2cap, uint8_t ident, /* Cancel RTX work */ k_work_cancel_delayable(&chan->rtx_work); + if (buf->len < sizeof(dcid)) { + BT_ERR("Fewer dcid values than expected"); + bt_l2cap_chan_remove(conn, &chan->chan); + bt_l2cap_chan_del(&chan->chan); + continue; + } + dcid = net_buf_pull_le16(buf); attempted++;