Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU

[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ]

Core 6.0, Vol 3, Part A, 3.4.3:
"If the SDU length field value exceeds the receiver's MTU, the receiver
shall disconnect the channel..."

This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P
0x0027 -V le_public -I 100').

Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
Signed-off-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a95949bc36b2a24d2213a46adf48630a300aa11a..de8e18fe50557c1f1648e219b7d01d5d6c8d8023 100644 (file)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6619,8 +6619,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
                return -ENOBUFS;
        }
 
-       if (chan->imtu < skb->len) {
-               BT_ERR("Too big LE L2CAP PDU");
+       if (skb->len > chan->imtu) {
+               BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len,
+                      chan->imtu);
+               l2cap_send_disconn_req(chan, ECONNRESET);
                return -ENOBUFS;
        }
 
@@ -6646,7 +6648,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
                       sdu_len, skb->len, chan->imtu);
 
                if (sdu_len > chan->imtu) {
-                       BT_ERR("Too big LE L2CAP SDU length received");
+                       BT_ERR("Too big LE L2CAP SDU length: len %u > %u",
+                              skb->len, sdu_len);
+                       l2cap_send_disconn_req(chan, ECONNRESET);
                        err = -EMSGSIZE;
                        goto failed;
                }