LinuxLists.cc - L2CAP: Spec violation

2022-11-04 16:21:38

Subject: L2CAP: Spec violation

Hello,

Our fuzzer found a BT spec violation, illegal state transition on L2cap.
Specifically, l2cap_chan::state is transitioned from BT_CONFIG to
BT_DISCONN by CONFIG_RSP by following trace:

l2cap_config_rsp l2cap_core.c:4498
l2cap_send_disconn_req l2cap_core.c:4585
l2cap_state_change l2cap_core.c:1618

According to the spec 5.3 vol.3 part A 6.1.4, CONFIG_RSP cannot cause
that transition, i.e., CONFIG -> DISCONN by CONFIG_RSP is illegal.
It'd be great if we could discuss.

Thanks,
Sungwoo.

2022-11-14 22:11:59

by Luiz Augusto von Dentz

[permalink] [raw]

Subject: Re: L2CAP: Spec violation

Hi Kim,

On Fri, Nov 4, 2022 at 9:13 AM Sungwoo Kim <[email protected]> wrote:
>
> Hello,
>
> Our fuzzer found a BT spec violation, illegal state transition on L2cap.
> Specifically, l2cap_chan::state is transitioned from BT_CONFIG to
> BT_DISCONN by CONFIG_RSP by following trace:
>
> l2cap_config_rsp l2cap_core.c:4498
> l2cap_send_disconn_req l2cap_core.c:4585
> l2cap_state_change l2cap_core.c:1618
>
> According to the spec 5.3 vol.3 part A 6.1.4, CONFIG_RSP cannot cause
> that transition, i.e., CONFIG -> DISCONN by CONFIG_RSP is illegal.
> It'd be great if we could discuss.

Can you include some btmon traces?

--
Luiz Augusto von Dentz

2022-11-15 05:09:47

by Sungwoo Kim

[permalink] [raw]

Subject: Re: L2CAP: Spec violation

Sure,

btmon trace:
(...)

> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #32 [hci0] 17.083174
invalid packet size (12 != 1033)
08 00 01 00 02 01 04 00 01 10 ff ff ............
@ MGMT Event: Device Connected (0x000b) plen 13 {0x0002} [hci0] 17.104462
BR/EDR Address: 10:AA:AA:AA:AA:AA (OUI 10-AA-AA)
Flags: 0x00000000
Data length: 0
@ MGMT Event: Device Connected (0x000b) plen 13 {0x0001} [hci0] 17.104462
BR/EDR Address: 10:AA:AA:AA:AA:AA (OUI 10-AA-AA)
Flags: 0x00000000
Data length: 0
< ACL Data TX: Handle 200 flags 0x02 dlen 16 #33 [hci0] 17.149691
L2CAP: Connection Response (0x03) ident 1 len 8
Destination CID: 64
Source CID: 65535
Result: Connection pending (0x0001)
Status: No further information available (0x0000)
< ACL Data TX: Handle 200 flags 0x02 dlen 10 #34 [hci0] 17.154828
L2CAP: Information Request (0x0a) ident 2 len 2
Type: Extended features supported (0x0002)
> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #35 [hci0] 17.145762
invalid packet size (16 != 2061)
0c 00 01 00 04 01 08 00 40 00 00 00 01 02 00 00 ........@.......
> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #36 [hci0] 17.146654
invalid packet size (16 != 2061)
0c 00 01 00 03 01 08 00 00 00 00 00 00 00 00 00 ................
> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #37 [hci0] 17.147190
invalid packet size (16 != 2061)
0c 00 01 00 04 01 08 00 40 00 00 00 05 00 00 00 ........@.......
> ACL Data RX: Handle 200 flags 0x00 dlen 1804 #38 [hci0] 17.148090
invalid packet size (15 != 1804)
0b 00 01 00 04 01 07 00 40 00 00 00 05 00 00 ........@......
> ACL Data RX: Handle 200 flags 0x00 dlen 1547 #39 [hci0] 17.148708
invalid packet size (14 != 1547)

(...)

The last ACL data packet invokes:
l2cap_bredr_sig_cmd
l2cap_config_rsp
l2cap_send_disconn_req
l2cap_state_change_and_error
Bluetooth: chan 00000000205763be BT_CONFIG -> BT_DISCONN

This is the code and whole log:
https://gist.github.com/swkim101/82bc694f9427f008c14e91307b3355b6

Thanks.