Bluetooth: L2CAP: Add missing checks for invalid DCID

Message ID	20230603122808.1633403-1-iam@sung-woo.kim
State	Accepted
Commit	f9367ce74db3c801bafa0f77cc2235d5e1a42bad
Headers	show Return-Path: <linux-bluetooth-owner@vger.kernel.org> From: Sungwoo Kim <iam@sung-woo.kim> Cc: daveti@purdue.edu, Sungwoo Kim <iam@sung-woo.kim>, Marcel Holtmann <marcel@holtmann.org>, Johan Hedberg <johan.hedberg@gmail.com>, Luiz Augusto von Dentz <luiz.dentz@gmail.com>, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] Bluetooth: L2CAP: Add missing checks for invalid DCID Date: Sat, 3 Jun 2023 08:28:09 -0400 Message-Id: <20230603122808.1633403-1-iam@sung-woo.kim> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit To: unlisted-recipients:; (no To-header on input) Precedence: bulk
Series	Bluetooth: L2CAP: Add missing checks for invalid DCID \| expand Bluetooth: L2CAP: Add missing checks for invalid DCID

Message ID

20230603122808.1633403-1-iam@sung-woo.kim

State

Accepted

Commit

f9367ce74db3c801bafa0f77cc2235d5e1a42bad

Headers

From: Sungwoo Kim <iam@sung-woo.kim>
Cc: daveti@purdue.edu, Sungwoo Kim <iam@sung-woo.kim>,
        Marcel Holtmann <marcel@holtmann.org>,
        Johan Hedberg <johan.hedberg@gmail.com>,
        Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
        linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] Bluetooth: L2CAP: Add missing checks for invalid DCID
Date: Sat,  3 Jun 2023 08:28:09 -0400
Message-Id: <20230603122808.1633403-1-iam@sung-woo.kim>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
To: unlisted-recipients:; (no To-header on input)
Precedence: bulk

Series

Bluetooth: L2CAP: Add missing checks for invalid DCID | expand

Commit Message

Sungwoo Kim June 3, 2023, 12:28 p.m. UTC

When receiving a connect response we should make sure that the DCID is
within the valid range and that we don't already have another channel
allocated for the same DCID.
Missing checks may violate the specification (BLUETOOTH CORE SPECIFICATION
Version 5.4 | Vol 3, Part A, Page 1046).

Fixes: 40624183c202 ("L2CAP: Add missing checks for invalid LE DCID")
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
---
 net/bluetooth/l2cap_core.c | 9 +++++++++
 1 file changed, 9 insertions(+)

Comments

bluez.test.bot@gmail.com June 3, 2023, 1:11 p.m. UTC | #1

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=753751

---Test result---

Test Summary:
CheckPatch                    PASS      0.74 seconds
GitLint                       PASS      0.36 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      33.11 seconds
CheckAllWarning               PASS      36.05 seconds
CheckSparse                   PASS      41.35 seconds
CheckSmatch                   PASS      111.10 seconds
BuildKernel32                 PASS      32.14 seconds
TestRunnerSetup               PASS      457.37 seconds
TestRunner_l2cap-tester       PASS      17.54 seconds
TestRunner_iso-tester         PASS      24.19 seconds
TestRunner_bnep-tester        PASS      5.88 seconds
TestRunner_mgmt-tester        PASS      118.33 seconds
TestRunner_rfcomm-tester      PASS      9.11 seconds
TestRunner_sco-tester         PASS      8.40 seconds
TestRunner_ioctl-tester       PASS      9.93 seconds
TestRunner_mesh-tester        PASS      7.35 seconds
TestRunner_smp-tester         PASS      8.71 seconds
TestRunner_userchan-tester    PASS      6.01 seconds
IncrementalBuild              PASS      30.61 seconds



---
Regards,
Linux Bluetooth

patchwork-bot+bluetooth@kernel.org June 5, 2023, 7:40 p.m. UTC | #2

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Sat,  3 Jun 2023 08:28:09 -0400 you wrote:
> When receiving a connect response we should make sure that the DCID is
> within the valid range and that we don't already have another channel
> allocated for the same DCID.
> Missing checks may violate the specification (BLUETOOTH CORE SPECIFICATION
> Version 5.4 | Vol 3, Part A, Page 1046).
> 
> Fixes: 40624183c202 ("L2CAP: Add missing checks for invalid LE DCID")
> Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
> 
> [...]

Here is the summary with links:
  - Bluetooth: L2CAP: Add missing checks for invalid DCID
    https://git.kernel.org/bluetooth/bluetooth-next/c/f9367ce74db3

You are awesome, thank you!

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 376b523c7..104eb0320 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4306,6 +4306,10 @@  static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
 	result = __le16_to_cpu(rsp->result);
 	status = __le16_to_cpu(rsp->status);
 
+	if (result == L2CAP_CR_SUCCESS && (dcid < L2CAP_CID_DYN_START ||
+					   dcid > L2CAP_CID_DYN_END))
+		return -EPROTO;
+
 	BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
 	       dcid, scid, result, status);
 
@@ -4337,6 +4341,11 @@  static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
 
 	switch (result) {
 	case L2CAP_CR_SUCCESS:
+		if (__l2cap_get_chan_by_dcid(conn, dcid)) {
+			err = -EBADSLT;
+			break;
+		}
+
 		l2cap_state_change(chan, BT_CONFIG);
 		chan->ident = 0;
 		chan->dcid = dcid;