Received: by 2002:a05:7412:8598:b0:f9:33c2:5753 with SMTP id n24csp348662rdh; Tue, 19 Dec 2023 00:11:45 -0800 (PST) X-Google-Smtp-Source: AGHT+IFvx+6PqWYRFsZnaqRw1u1G7S5wApLNs0xFK7qSejCRBDNoD4ydn0WlCKt73A+ARs8zktp4 X-Received: by 2002:a17:902:850b:b0:1d3:5701:375a with SMTP id bj11-20020a170902850b00b001d35701375amr889507plb.36.1702973505415; Tue, 19 Dec 2023 00:11:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702973505; cv=none; d=google.com; s=arc-20160816; b=uwjSNcnpp9YJrwtawKnz2aoZU7yY/AEGbsm7fOcKJvw6kox/nDuHr5fhZy1GXFYDmm 1n3P9IoRU65WwdBIQrjGKWpCssYYlG8ageY2RyW0jXXWwBMWVN6njgvGAvpPFhrjYylE WSL5MVXSx15oT9+1CxbAW1XBGHSA2J6ViSI8ED/AwfoF2RpRutd6AaJJUOWDBu+F3SNv Oe4oSncTv4rpN4AAg24i1uZLljdFtohrAvoL5DlZxWYHeY6bWVi3LwFlFB03K2HSPYCQ o2IWk8iipfgqFl1u98qNhls0ajFgzU/PGmI8YPN/GJB9MTnH+hC0tO6NosiNBflYYEWp gfKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:to:from :dkim-signature; bh=HPo9Fbo0985fe6drB6DDqot0UrtYC1BerygBgIEvMQk=; fh=4lGQI6056MBa4/oovMyIYaKLn+Wz/24RGvUivMmQP8E=; b=sm5bxspSUODDRu2L1KttNdg1LdoRsEoVMDyhjmxcNwgcw4Mhqy5+VaS4tVmshWGH8h azP8ko6TLgr0PG7H3xO1iGxESGyvHDS3/t0wYjkMBfSiu03Cfe8QoseJIyESuIqK3f0V CSfm+xsZLDc+Uy5mzL6WB4oewkrY12U7LwK7lSMIwnTly5ON2i/ml22oFtADnJUIFaZ7 RAsmnyXCaL422+BO5ZWS/TkEvbH+OtpQECpetdYfj6Hzbrd1OE/lyStJetKSXLJY2d/e Duhg9jFnIyvaEpjj3ejbQikvGZJkyl+FNVdLMHt5iivzQHLRb42mMcORPCe/yzcRqyDb 5BSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b="Yqij/BmA"; spf=pass (google.com: domain of linux-bluetooth+bounces-655-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-655-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id k7-20020a170902c40700b001d344b1ef68si12079626plk.480.2023.12.19.00.11.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Dec 2023 00:11:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-655-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b="Yqij/BmA"; spf=pass (google.com: domain of linux-bluetooth+bounces-655-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-655-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 31786B23C20 for ; Tue, 19 Dec 2023 08:10:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9E339F9EC; Tue, 19 Dec 2023 08:10:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=collabora.com header.i=@collabora.com header.b="Yqij/BmA" X-Original-To: linux-bluetooth@vger.kernel.org Received: from madrid.collaboradmins.com (madrid.collaboradmins.com [46.235.227.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B5F112B61 for ; Tue, 19 Dec 2023 08:10:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=collabora.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=collabora.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1702973427; bh=fgJ2KFju3g/wz08sEC/4y3Mb+3SSlVMS8pryKc5cH6A=; h=From:To:Subject:Date:From; b=Yqij/BmAgdInIMZwgnneUDTg+mE9e5hbnfXyahMF91XGwLucTh/qEFYhmAP0Fwm+3 AM/7sP1SIUGC3vmzrqlF4d2NbuDTp6sKEMKlY2BC/912wPnsPbRKqPW7+pF18EAErq NZKlXyEDAryRty01qFlfMTfcfZtNufgNN/hNVURBv+xrUFdBHe9vlTbtbawak9KfmJ KaYO00TJXV55igrguU7nsEe6CBCMKTcnWjUUI58dplkumD7fB2ynOSgwPf2FtWKZvI FawJ7DX+Hivs6w848MHk6NqM4Yd6zoJuC3BibIcmhSYcd0EfCmMQLRJCds+rMCqJXh b28JGwSXs9Z+w== Received: from fdanis-XPS-13-9370.. (cola.collaboradmins.com [195.201.22.229]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: fdanis) by madrid.collaboradmins.com (Postfix) with ESMTPSA id 4C704378140A for ; Tue, 19 Dec 2023 08:10:27 +0000 (UTC) From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= To: linux-bluetooth@vger.kernel.org Subject: [PATCH] Bluetooth: L2CAP: Fix possible multiple reject send Date: Tue, 19 Dec 2023 09:10:22 +0100 Message-Id: <20231219081022.41395-1-frederic.danis@collabora.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit In case of an incomplete command or a command with a null identifier 2 reject packets will be sent, one with the identifier and one with 0. Consuming the data of the command will prevent it. This allows to send a reject packet for each corrupted command in a multi-command packet. Signed-off-by: Frédéric Danis --- net/bluetooth/l2cap_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index baeebee41cd9..60298975d5c4 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -6526,7 +6526,8 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, if (len > skb->len || !cmd->ident) { BT_DBG("corrupted command"); l2cap_sig_send_rej(conn, cmd->ident); - break; + skb_pull(skb, len > skb->len ? skb->len : len); + continue; } err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data); -- 2.34.1