Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1953157pxf; Sat, 13 Mar 2021 03:04:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJzgVU1Ybo+D8ci10ExbHHH2X/w3cnBJSXSZahtaZ1+H9MdODQMcnfMicNHbPQCeACzIHRRx X-Received: by 2002:a05:6402:b41:: with SMTP id bx1mr19651457edb.69.1615633472476; Sat, 13 Mar 2021 03:04:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615633472; cv=none; d=google.com; s=arc-20160816; b=RI3grI2imG90qQprYku3w/oMxuDTaefCnv+THUBjXmAd2rwxPsOg0Dh3wKcCHTHeBy xhLNC25BT2j0ry8blLCIWw74CYCNIU1i7c5FA/X4FXj2JHI4bb/Ez1fCul7qYdJZtVj8 Vwa69P0ubA6PnRg4gTic8gs07EmY8Bt4oCkFqjC6a0oZKIrNBRmEeOekvyQTeGIiQW1Y OuPJAhG9HUIRToLPgc3Z1B/ULXyg83bfkU9AbPtcr5CFexi2AwT0XtPqr+TAZkFHmFoH pkZ1o4Rj56WlN5hsVLRbTYnivCNxWz1DZ8EYWbn7dqjIUQvuSHwF65EqmWFIzWvhFz4z J+Ww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version; bh=o/EkGZMtKfNg935P0oOnF7WvCkFj+R3kDnHo7ts4uOg=; b=pCqQs+12TrnhlxpXbIl5hIX66iy+vYCxryHFlMYj2l6fWfNIoHTBm4+4G7/rMQF+uZ le/RztCuIaQWVmdPF/uN1TbE9nrbD1vt/xOGwhUIC0cH/XuS+4gbv9GlZ/isqFTkfhxY ODikHqNy0MVdxZyklVwA9Tt32/Lw7xEHEW8Y4/VWm99xceQKdqKUE+T3+n/BMGTRnOs5 rbgJknMzWqKl4HANHgEh2uTlJGlKcGxp2y+SVhYZCIDTXJD0PnJZqwe7dAaw+Rm33TFv Bc/PzRfIv8J3hamnsQXIt+5dk4z3qZgVFdWUrT414zMcYL7BPtSu1ga1e/ZtPPkv5PaI IITQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p9si6401009edq.59.2021.03.13.03.04.10; Sat, 13 Mar 2021 03:04:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231134AbhCMLCe convert rfc822-to-8bit (ORCPT + 99 others); Sat, 13 Mar 2021 06:02:34 -0500 Received: from coyote.holtmann.net ([212.227.132.17]:36204 "EHLO mail.holtmann.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230380AbhCMLC0 (ORCPT ); Sat, 13 Mar 2021 06:02:26 -0500 Received: from marcel-macbook.holtmann.net (p4fefc126.dip0.t-ipconnect.de [79.239.193.38]) by mail.holtmann.org (Postfix) with ESMTPSA id 331D0CED1B; Sat, 13 Mar 2021 12:10:01 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\)) Subject: Re: [PATCH] Bluetooth: L2CAP: Fix not checking for maximum number of DCID From: Marcel Holtmann In-Reply-To: <20210312181948.1225833-1-luiz.dentz@gmail.com> Date: Sat, 13 Mar 2021 12:02:24 +0100 Cc: linux-bluetooth@vger.kernel.org Content-Transfer-Encoding: 8BIT Message-Id: References: <20210312181948.1225833-1-luiz.dentz@gmail.com> To: Luiz Augusto von Dentz X-Mailer: Apple Mail (2.3654.60.0.2.21) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Luiz, > When receiving L2CAP_CREDIT_BASED_CONNECTION_REQ the remote may request > more channels than allowed by the spec (10 octecs = 5 CIDs) so this > truncates the response allowing it to create only the maximum allowed. so what does the spec say the behavior should be? Truncate or actually respond with an error? > Signed-off-by: Luiz Augusto von Dentz > --- > include/net/bluetooth/l2cap.h | 1 + > net/bluetooth/l2cap_core.c | 4 ++-- > 2 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h > index 61800a7b6192..3c4f550e5a8b 100644 > --- a/include/net/bluetooth/l2cap.h > +++ b/include/net/bluetooth/l2cap.h > @@ -494,6 +494,7 @@ struct l2cap_le_credits { > > #define L2CAP_ECRED_MIN_MTU 64 > #define L2CAP_ECRED_MIN_MPS 64 > +#define L2CAP_ECRED_MAX_CID 5 > > struct l2cap_ecred_conn_req { > __le16 psm; > diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c > index 72c2f5226d67..6325d4a89b31 100644 > --- a/net/bluetooth/l2cap_core.c > +++ b/net/bluetooth/l2cap_core.c > @@ -5921,7 +5921,7 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn, > struct l2cap_ecred_conn_req *req = (void *) data; > struct { > struct l2cap_ecred_conn_rsp rsp; > - __le16 dcid[5]; > + __le16 dcid[L2CAP_ECRED_MAX_CID]; > } __packed pdu; > struct l2cap_chan *chan, *pchan; > u16 mtu, mps; > @@ -5973,7 +5973,7 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn, > cmd_len -= sizeof(*req); > num_scid = cmd_len / sizeof(u16); > > - for (i = 0; i < num_scid; i++) { > + for (i = 0; i < num_scid && i < ARRAY_SIZE(pdu.dcid); i++) { > u16 scid = __le16_to_cpu(req->scid[i]); > > BT_DBG("scid[%d] 0x%4.4x", i, scid); Is this really a good idea? I would prefer if we check the size first and then just respond with an error. Regards Marcel