Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success

l2cap_ecred_reconf_rsp() returns early on success without clearing
chan->ident. Every other L2CAP response handler (l2cap_ecred_conn_rsp,
l2cap_le_connect_rsp, l2cap_config_rsp) clears chan->ident after a
successful transaction to prevent the channel from matching subsequent
responses with the recycled ident value.

A remote attacker that completed a reconfiguration as the peer can
replay a failure response with the stale ident, causing the kernel to
match and destroy the already-established channel via
l2cap_chan_del(chan, ECONNRESET).

Clear chan->ident for all matching channels on success, and harden the
failure path by using l2cap_chan_hold_unless_zero() consistent with
other L2CAP handlers (l2cap_le_command_rej, __l2cap_get_chan_by_ident).

Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 5668c92b3f58d3397e7d787df493ef0660918dd2..ff13c43e3588cde9c9afcdedc56e0e313d6eaa81 100644 (file)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5460,14 +5460,20 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
 
        BT_DBG("result 0x%4.4x", result);
 
-       if (!result)
+       if (!result) {
+               list_for_each_entry(chan, &conn->chan_l, list) {
+                       if (chan->ident == cmd->ident)
+                               chan->ident = 0;
+               }
                return 0;
+       }
 
        list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
                if (chan->ident != cmd->ident)
                        continue;
 
-               l2cap_chan_hold(chan);
+               if (!l2cap_chan_hold_unless_zero(chan))
+                       continue;
                l2cap_chan_lock(chan);
 
                l2cap_chan_del(chan, ECONNRESET);