Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS

Core 6.0, Vol 3, Part A, 3.4.3:
"... If the payload size of any K-frame exceeds the receiver's MPS, the
receiver shall disconnect the channel..."

This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
0x0027 -V le_public -I 100').

Signed-off-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Tested-by: Christian Eggers <ceggers@arri.de>

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 95c65fece39bdf40391d52811a45c89b781041a1..9916ae6abef04889130eabfcdc1eb8e8aacb9a42 100644 (file)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6705,6 +6705,13 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
                return -ENOBUFS;
        }
 
+       if (skb->len > chan->mps) {
+               BT_ERR("Too big LE L2CAP MPS: len %u > %u", skb->len,
+                      chan->mps);
+               l2cap_send_disconn_req(chan, ECONNRESET);
+               return -ENOBUFS;
+       }
+
        chan->rx_credits--;
        BT_DBG("chan %p: rx_credits %u -> %u",
               chan, chan->rx_credits + 1, chan->rx_credits);