sieni
/
linux
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU 

Core 6.0, Vol 3, Part A, 3.4.3:
"If the SDU length field value exceeds the receiver's MTU, the receiver
shall disconnect the channel..."

This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P
0x0027 -V le_public -I 100').

Fixes: aac23bf636 ("Bluetooth: Implement LE L2CAP reassembly")
Signed-off-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This commit is contained in:
Christian Eggers 2026-02-25 18:07:25 +01:00 committed by Luiz Augusto von Dentz
parent c38b8f5f79
commit e1d9a66889
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
net/bluetooth/l2cap_core.c
View File

@ -6662,8 +6662,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
return -ENOBUFS;
}
if (chan->imtu < skb->len) {
BT_ERR("Too big LE L2CAP PDU");
if (skb->len > chan->imtu) {
BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len,
chan->imtu);
l2cap_send_disconn_req(chan, ECONNRESET);
return -ENOBUFS;
}
@ -6689,7 +6691,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
sdu_len, skb->len, chan->imtu);
if (sdu_len > chan->imtu) {
BT_ERR("Too big LE L2CAP SDU length received");
BT_ERR("Too big LE L2CAP SDU length: len %u > %u",
skb->len, sdu_len);
l2cap_send_disconn_req(chan, ECONNRESET);
err = -EMSGSIZE;
goto failed;
}