You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mynewt.apache.org by ja...@apache.org on 2022/04/13 10:00:45 UTC
[mynewt-nimble] branch master updated: host/l2cap: disconnect if received packet is larger than MPS
This is an automated email from the ASF dual-hosted git repository.
janc pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mynewt-nimble.git
The following commit(s) were added to refs/heads/master by this push:
new 09466ab8 host/l2cap: disconnect if received packet is larger than MPS
09466ab8 is described below
commit 09466ab8105905388f5e800b722e4801de90560f
Author: Krzysztof Kopyściński <kr...@codecoup.pl>
AuthorDate: Tue Jul 20 14:11:53 2021 +0200
host/l2cap: disconnect if received packet is larger than MPS
Peer sending packet larger than MPS is invalid, and should be met
with L2CAP channel disconnection.
This affects L2CAP/LE/CFC/BV-27-C
---
nimble/host/src/ble_l2cap.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/nimble/host/src/ble_l2cap.c b/nimble/host/src/ble_l2cap.c
index fb1a6176..810d07b3 100644
--- a/nimble/host/src/ble_l2cap.c
+++ b/nimble/host/src/ble_l2cap.c
@@ -388,6 +388,16 @@ ble_l2cap_rx(struct ble_hs_conn *conn,
goto err;
}
+ /* For CIDs from dynamic range we check if SDU size isn't larger than MPS */
+ if (chan->dcid >= 0x0040 && chan->dcid <= 0x007F && l2cap_hdr.len > chan->my_coc_mps) {
+ /* Data exceeds MPS */
+ BLE_HS_LOG(ERROR, "error: sdu_len > chan->my_coc_mps (%d>%d)\n",
+ l2cap_hdr.len, chan->my_coc_mps);
+ ble_l2cap_disconnect(chan);
+ rc = BLE_HS_EBADDATA;
+ goto err;
+ }
+
if (chan->rx_buf != NULL) {
/* Previous data packet never completed. Discard old packet. */
ble_l2cap_remove_rx(conn, chan);