Commit 61682bd6 authored by Johan Hedberg's avatar Johan Hedberg Committed by Anas Nashif
Browse files

Bluetooth: L2CAP: Fix missing buffer length check for sdu_len 



We should verify that the buffer has sufficient data before attempting
to parse the SDU length field. If we get a too short packet just
disconnect the channel.

Fixes #32497

Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
parent 0249a626

subsys/bluetooth/host/l2cap.c

+6 −0
Original line number Diff line number Diff line
@@ -2190,6 +2190,12 @@ static void l2cap_chan_le_recv(struct bt_l2cap_le_chan *chan, 
		return;

	}



	if (buf->len < 2) {

		BT_WARN("Too short data packet");

		bt_l2cap_chan_disconnect(&chan->chan);

		return;

	}



	sdu_len = net_buf_pull_le16(buf);



	BT_DBG("chan %p len %u sdu_len %u", chan, buf->len, sdu_len);

CRA Git | Maintained and supported by SUSTech CRA and CCSE