Message ID | 20230603122808.1633403-1-iam@sung-woo.kim |
---|---|
State | Accepted |
Commit | f9367ce74db3c801bafa0f77cc2235d5e1a42bad |
Headers | show |
Series | Bluetooth: L2CAP: Add missing checks for invalid DCID | expand |
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=753751 ---Test result--- Test Summary: CheckPatch PASS 0.74 seconds GitLint PASS 0.36 seconds SubjectPrefix PASS 0.13 seconds BuildKernel PASS 33.11 seconds CheckAllWarning PASS 36.05 seconds CheckSparse PASS 41.35 seconds CheckSmatch PASS 111.10 seconds BuildKernel32 PASS 32.14 seconds TestRunnerSetup PASS 457.37 seconds TestRunner_l2cap-tester PASS 17.54 seconds TestRunner_iso-tester PASS 24.19 seconds TestRunner_bnep-tester PASS 5.88 seconds TestRunner_mgmt-tester PASS 118.33 seconds TestRunner_rfcomm-tester PASS 9.11 seconds TestRunner_sco-tester PASS 8.40 seconds TestRunner_ioctl-tester PASS 9.93 seconds TestRunner_mesh-tester PASS 7.35 seconds TestRunner_smp-tester PASS 8.71 seconds TestRunner_userchan-tester PASS 6.01 seconds IncrementalBuild PASS 30.61 seconds --- Regards, Linux Bluetooth
Hello: This patch was applied to bluetooth/bluetooth-next.git (master) by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>: On Sat, 3 Jun 2023 08:28:09 -0400 you wrote: > When receiving a connect response we should make sure that the DCID is > within the valid range and that we don't already have another channel > allocated for the same DCID. > Missing checks may violate the specification (BLUETOOTH CORE SPECIFICATION > Version 5.4 | Vol 3, Part A, Page 1046). > > Fixes: 40624183c202 ("L2CAP: Add missing checks for invalid LE DCID") > Signed-off-by: Sungwoo Kim <iam@sung-woo.kim> > > [...] Here is the summary with links: - Bluetooth: L2CAP: Add missing checks for invalid DCID https://git.kernel.org/bluetooth/bluetooth-next/c/f9367ce74db3 You are awesome, thank you!
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 376b523c7..104eb0320 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -4306,6 +4306,10 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, result = __le16_to_cpu(rsp->result); status = __le16_to_cpu(rsp->status); + if (result == L2CAP_CR_SUCCESS && (dcid < L2CAP_CID_DYN_START || + dcid > L2CAP_CID_DYN_END)) + return -EPROTO; + BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status); @@ -4337,6 +4341,11 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, switch (result) { case L2CAP_CR_SUCCESS: + if (__l2cap_get_chan_by_dcid(conn, dcid)) { + err = -EBADSLT; + break; + } + l2cap_state_change(chan, BT_CONFIG); chan->ident = 0; chan->dcid = dcid;
When receiving a connect response we should make sure that the DCID is within the valid range and that we don't already have another channel allocated for the same DCID. Missing checks may violate the specification (BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 3, Part A, Page 1046). Fixes: 40624183c202 ("L2CAP: Add missing checks for invalid LE DCID") Signed-off-by: Sungwoo Kim <iam@sung-woo.kim> --- net/bluetooth/l2cap_core.c | 9 +++++++++ 1 file changed, 9 insertions(+)