Impact
For example, sending L2CAP K-frame where SDU length field is truncated to only one byte, causes assertion failure in previous releases of Zephyr. This has been fixed in master by commit 0ba94379381 but has not yet been backported to older release branches.
Analysis
This happens because in l2cap_chan_le_recv()
function, when getting the SDU len from buffer, length of the buffer is not checked and later on call to net_buf_pull_le16(buf)
leads to assertion. If assertions are disabled, SDU length is calculated wrong and packet soon dropped due to invalid SDU length.
Patches
This has been fixed in:
For more information
If you have any questions or comments about this advisory:
embargo: 2021-05-24
Impact
For example, sending L2CAP K-frame where SDU length field is truncated to only one byte, causes assertion failure in previous releases of Zephyr. This has been fixed in master by commit 0ba94379381 but has not yet been backported to older release branches.
Analysis
This happens because in
l2cap_chan_le_recv()
function, when getting the SDU len from buffer, length of the buffer is not checked and later on call tonet_buf_pull_le16(buf)
leads to assertion. If assertions are disabled, SDU length is calculated wrong and packet soon dropped due to invalid SDU length.Patches
This has been fixed in:
For more information
If you have any questions or comments about this advisory:
embargo: 2021-05-24