Skip to content

Bluetooth: Host: L2CAP: Fix checking signaling packets size #90058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+24 −16
Open

Bluetooth: Host: L2CAP: Fix checking signaling packets size #90058

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 24 additions & 16 deletions subsys/bluetooth/host/l2cap.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1049,8 +1049,9 @@ static void le_conn_param_rsp(struct bt_l2cap *l2cap, struct net_buf *buf)
{
struct bt_l2cap_conn_param_rsp *rsp = (void *)buf->data;

if (buf->len < sizeof(*rsp)) {
LOG_ERR("Too small LE conn param rsp");
if (buf->len != sizeof(*rsp)) {
LOG_ERR("Invalid LE conn param rsp size (%u != %zu)",
buf->len, sizeof(*rsp));
return;
}

Expand All @@ -1066,8 +1067,9 @@ static void le_conn_param_update_req(struct bt_l2cap *l2cap, uint8_t ident,
struct bt_l2cap_conn_param_req *req = (void *)buf->data;
bool accepted;

if (buf->len < sizeof(*req)) {
LOG_ERR("Too small LE conn update param req");
if (buf->len != sizeof(*req)) {
LOG_ERR("Invalid LE conn update param req size (%u != %zu)",
buf->len, sizeof(*req));
return;
}

Expand Down Expand Up @@ -1458,8 +1460,9 @@ static void le_conn_req(struct bt_l2cap *l2cap, uint8_t ident,
uint16_t psm, scid, mtu, mps, credits;
uint16_t result;

if (buf->len < sizeof(*req)) {
LOG_ERR("Too small LE conn req packet size");
if (buf->len != sizeof(*req)) {
LOG_ERR("Invalid LE conn req packet size (%u != %zu)",
buf->len, sizeof(*req));
return;
}

Expand Down Expand Up @@ -1759,8 +1762,9 @@ static void le_ecred_reconf_rsp(struct bt_l2cap *l2cap, uint8_t ident,
struct bt_l2cap_le_chan *ch;
uint16_t result;

if (buf->len < sizeof(*rsp)) {
LOG_ERR("Too small ecred reconf rsp packet size");
if (buf->len != sizeof(*rsp)) {
LOG_ERR("Invalid ecred reconf rsp packet size (%u != %zu)",
buf->len, sizeof(*rsp));
return;
}

Expand Down Expand Up @@ -1820,8 +1824,9 @@ static void le_disconn_req(struct bt_l2cap *l2cap, uint8_t ident,
struct bt_l2cap_disconn_rsp *rsp;
uint16_t dcid;

if (buf->len < sizeof(*req)) {
LOG_ERR("Too small LE conn req packet size");
if (buf->len != sizeof(*req)) {
LOG_ERR("Invalid LE conn req packet size (%u != %zu)",
buf->len, sizeof(*req));
return;
}

Expand Down Expand Up @@ -2039,8 +2044,9 @@ static void le_conn_rsp(struct bt_l2cap *l2cap, uint8_t ident,
struct bt_l2cap_le_conn_rsp *rsp = (void *)buf->data;
uint16_t dcid, mtu, mps, credits, result;

if (buf->len < sizeof(*rsp)) {
LOG_ERR("Too small LE conn rsp packet size");
if (buf->len != sizeof(*rsp)) {
LOG_ERR("Invalid LE conn rsp packet size (%u != %zu)",
buf->len, sizeof(*rsp));
return;
}

Expand Down Expand Up @@ -2111,8 +2117,9 @@ static void le_disconn_rsp(struct bt_l2cap *l2cap, uint8_t ident,
struct bt_l2cap_disconn_rsp *rsp = (void *)buf->data;
uint16_t scid;

if (buf->len < sizeof(*rsp)) {
LOG_ERR("Too small LE disconn rsp packet size");
if (buf->len != sizeof(*rsp)) {
LOG_ERR("Invalid LE disconn rsp packet size (%u != %zu)",
buf->len, sizeof(*rsp));
return;
}

Expand All @@ -2137,8 +2144,9 @@ static void le_credits(struct bt_l2cap *l2cap, uint8_t ident,
struct bt_l2cap_le_chan *le_chan;
uint16_t credits, cid;

if (buf->len < sizeof(*ev)) {
LOG_ERR("Too small LE Credits packet size");
if (buf->len != sizeof(*ev)) {
LOG_ERR("Invalid LE Credits packet size (%u != %zu)",
buf->len, sizeof(*ev));
return;
}

Expand Down