Commit 35c84d76 authored by Mat Martineau's avatar Mat Martineau Committed by Gustavo Padovan
Browse files

Bluetooth: Fix a redundant and problematic incoming MTU check 



The L2CAP MTU for incoming data is verified differently depending on
the L2CAP mode, so the check is best performed in a mode-specific
context.  Checking the incoming MTU before HCI fragment reassembly is
a layer violation and assumes all bytes after the standard L2CAP
header are L2CAP data.

This approach causes issues with unsegmented ERTM or streaming mode
frames, where there are additional enhanced or extended headers before
the data payload and possible FCS bytes after the data payload.  A
valid frame could be as many as 10 bytes larger than the MTU.

Removing this code is the best fix, because the MTU is checked later
on for all L2CAP data frames (connectionless, basic, ERTM, and
streaming).  This also gets rid of outdated locking (socket instead of
l2cap_chan) and an extra lookup of the channel ID.

Signed-off-by: default avatarMat Martineau <mathewm@codeaurora.org>
Reviewed-by: default avatarUlisses Furquim <ulisses@profusion.mobi>
Signed-off-by: default avatarGustavo Padovan <gustavo@padovan.org>
parent 85d59726

net/bluetooth/l2cap_core.c

+0 −20
Original line number Diff line number Diff line
@@ -5000,8 +5000,6 @@ int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) 


	if (!(flags & ACL_CONT)) {

		struct l2cap_hdr *hdr;

		struct l2cap_chan *chan;

		u16 cid;

		int len;



		if (conn->rx_len) {
@@ -5021,7 +5019,6 @@ int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) 


		hdr = (struct l2cap_hdr *) skb->data;

		len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;

		cid = __le16_to_cpu(hdr->cid);



		if (len == skb->len) {

			/* Complete frame received */
@@ -5038,23 +5035,6 @@ int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) 
			goto drop;

		}



		chan = l2cap_get_chan_by_scid(conn, cid);



		if (chan && chan->sk) {

			struct sock *sk = chan->sk;

			lock_sock(sk);



			if (chan->imtu < len - L2CAP_HDR_SIZE) {

				BT_ERR("Frame exceeding recv MTU (len %d, "

							"MTU %d)", len,

							chan->imtu);

				release_sock(sk);

				l2cap_conn_unreliable(conn, ECOMM);

				goto drop;

			}

			release_sock(sk);

		}



		/* Allocate skb for the complete frame (with header) */

		conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);

		if (!conn->rx_skb)

CRA Git | Maintained and supported by SUSTech CRA and CCSE