Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3642571pxf;
        Mon, 15 Mar 2021 14:45:47 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwbsJE6lmQgbG08gZmfCpAnQAB++fCGQKZWJ0Fw6INdVucqKXKJWXn13AqTD8kuBYadhWqX
X-Received: by 2002:a17:906:a94b:: with SMTP id hh11mr26319409ejb.459.1615844747087;
        Mon, 15 Mar 2021 14:45:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1615844747; cv=none;
        d=google.com; s=arc-20160816;
        b=HleWkSrrmwjvgUr3Q8dC6UZnTR9owZr+JIzLqNASbok+MZWi29n1LcciRaTG2yR1hC
         zM8tuymWOfJ90dAL+uzcfc2WCLfVrONWOEhSFktUWzbXeoWX22GkGSTJRBpSB7RSe5w5
         tb5Fb75xqWH91md3V2dvtDFdIsP1JgWODGHKQr27q9lSeuPG010480Qp/r2H+BmaGv48
         wSH8xTNp67QD6fQe4Yopqsz+qTcMZ6gCdAHeMXod1b5SjqFqBxCW7ey0K54lZBEXvm4k
         Eb/i2+tfHVnrV3pzlxMAsUkkDBESmpbrh/KT215I+pUjulGdEXkeIxClwr9fHb/1Tuhd
         fwZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:to:from:dkim-signature;
        bh=c2LNfrkoZiMGFTIJG/i9VYE2etsrlnCmN/4Qd+uOMTg=;
        b=DwykyD7h4y2C7ahFbmx58yjsGUxDVzxrwBCk26eRxXzOyqMlErWO57Ww9aV+o5n7TY
         Hbr5RA7WsfiT84CHkYYFoGfSLiPb9pmI5ttw1JXAji5IVPqDDvTbabJ/Qa7UZXAWISmv
         P389VF2yTxr2OWmewXwnlD2+iKQDIpgmbrqgv8LXSCMSnVLoZU+itYVo2mACrY8B7rzL
         ErN6KM2g5GLRS06DWelHa/uX7zODtAsjrC4mATvlTZiOUMSIKnZ/X+ohiwA76gG2fE4x
         jYnct7FlqqW/qC35W13XqIKPYQ/bTOdV8bRxZ6Jrq6nBK7uD5i7qMLCWkhJ0fbWkSaTT
         FJ+Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=vKqUkqLi;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j10si12526577ejs.556.2021.03.15.14.45.24;
        Mon, 15 Mar 2021 14:45:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=vKqUkqLi;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231826AbhCOUFN (ORCPT <rfc822;mafaneh@gmail.com> + 99 others);
        Mon, 15 Mar 2021 16:05:13 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39566 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233064AbhCOUEm (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Mon, 15 Mar 2021 16:04:42 -0400
Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E5180C06174A
        for <linux-bluetooth@vger.kernel.org>; Mon, 15 Mar 2021 13:04:41 -0700 (PDT)
Received: by mail-pj1-x1030.google.com with SMTP id mz6-20020a17090b3786b02900c16cb41d63so173070pjb.2
        for <linux-bluetooth@vger.kernel.org>; Mon, 15 Mar 2021 13:04:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=c2LNfrkoZiMGFTIJG/i9VYE2etsrlnCmN/4Qd+uOMTg=;
        b=vKqUkqLivyYNPh1CxtK4lHhCoGmlSRI5ItqvBAjHkJ6rMvi+8/+Y5vAuDj7BZBdFOM
         Kub8nd2ciwtX38amax1GCFC3Q/OlAKCy4KNiy+y/y32xv6jDaljma8bdC45nVeVGkdUA
         iApdVKxEkbXUS7SPAEdfddKdfARwRbmizwkwByWgpzzLHJXIh4R3lfKBo9EszO2LtuPQ
         kuOuNZdv/mEG1OOC0L9AYK931gqXwzX/zxZaqiBHAMKynmGh3QAVM6EkGnVrGoMPeTRZ
         pPzzuCaQcCmywKw1FDGnXdPeW3bKWVCR3azq9SKyj/Vz3rDv1d2zdZPn8Q866rLBOE04
         OMcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=c2LNfrkoZiMGFTIJG/i9VYE2etsrlnCmN/4Qd+uOMTg=;
        b=WwqgfBvoW1b7ymjOX2iOTsAUwv274/gA1N613JG1a8YEB89Yo/WGvgdSXTxdtfx1iJ
         +7I7c/WGiCh0SF2fjMvcakbCW5wF7aTm67h3FxIk98RBWjkbXTPy5vcjzeqW7t9WBTXq
         /C5j+tc/f61ejoN6UeFBaHhMPisBiNNVIBGQw5yGWT9WllCyFWs9vOP5ELVPyTh9lEDE
         SpUCXHk03Tvvy2OSIC5+Qge7qlWdn7AwVAdGYWfyv2Y/lFkVpyp/xdB8uuYgcLZ/IKue
         Te6Sl7gAeYgttfkaBz8myGIQMV0EVy1/v/vdUK2OyYC/qsg3BFnjztdxEnqxemGR5dNb
         nyow==
X-Gm-Message-State: AOAM530IL4gPYUpUGwNwN2pkmg7Rm+PwJ2TJFdthW0p+f2iE2v7mSOZH
        ZHqtFa6zmR53wYbmYDCm9A00XMaSKfBk6g==
X-Received: by 2002:a17:902:d30c:b029:e3:f95:6da5 with SMTP id b12-20020a170902d30cb02900e30f956da5mr13271258plc.6.1615838681037;
        Mon, 15 Mar 2021 13:04:41 -0700 (PDT)
Received: from localhost.localdomain (c-71-56-157-77.hsd1.or.comcast.net. [71.56.157.77])
        by smtp.gmail.com with ESMTPSA id q95sm457395pjq.20.2021.03.15.13.04.40
        for <linux-bluetooth@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 15 Mar 2021 13:04:40 -0700 (PDT)
From:   Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To:     linux-bluetooth@vger.kernel.org
Subject: [PATCH v2] Bluetooth: L2CAP: Fix not checking for maximum number of DCID
Date:   Mon, 15 Mar 2021 13:04:37 -0700
Message-Id: <20210315200437.1800434-1-luiz.dentz@gmail.com>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

When receiving L2CAP_CREDIT_BASED_CONNECTION_REQ the remote may request
more channels than allowed by the spec (10 octecs = 5 CIDs) so this
checks if the number of channels is bigger than the maximum allowed and
respond with an error.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
v2: Respond with an error instead of truncating the response with maximum
allowed nunber of channels.

 include/net/bluetooth/l2cap.h |  1 +
 net/bluetooth/l2cap_core.c    | 12 +++++++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 61800a7b6192..3c4f550e5a8b 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -494,6 +494,7 @@ struct l2cap_le_credits {
 
 #define L2CAP_ECRED_MIN_MTU		64
 #define L2CAP_ECRED_MIN_MPS		64
+#define L2CAP_ECRED_MAX_CID		5
 
 struct l2cap_ecred_conn_req {
 	__le16 psm;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 72c2f5226d67..374cc32d7138 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5921,7 +5921,7 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
 	struct l2cap_ecred_conn_req *req = (void *) data;
 	struct {
 		struct l2cap_ecred_conn_rsp rsp;
-		__le16 dcid[5];
+		__le16 dcid[L2CAP_ECRED_MAX_CID];
 	} __packed pdu;
 	struct l2cap_chan *chan, *pchan;
 	u16 mtu, mps;
@@ -5938,6 +5938,14 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
 		goto response;
 	}
 
+	cmd_len -= sizeof(*req);
+	num_scid = cmd_len / sizeof(u16);
+
+	if (num_scid > ARRAY_SIZE(pdu.dcid)) {
+		result = L2CAP_CR_LE_INVALID_PARAMS;
+		goto response;
+	}
+
 	mtu  = __le16_to_cpu(req->mtu);
 	mps  = __le16_to_cpu(req->mps);
 
@@ -5970,8 +5978,6 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
 	}
 
 	result = L2CAP_CR_LE_SUCCESS;
-	cmd_len -= sizeof(*req);
-	num_scid = cmd_len / sizeof(u16);
 
 	for (i = 0; i < num_scid; i++) {
 		u16 scid = __le16_to_cpu(req->scid[i]);
-- 
2.30.2