Hi Gustavo,
>> Are you using ERTM or Streaming mode? If yes, I have a guess about the
>> source of the problem. On l2cap_parse_conf_rsp we check for:
>>
>> while (len >= L2CAP_CONF_OPT_SIZE) {
>> len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
>>
>> But on case L2CAP_CONF_RFC olen is greater than L2CAP_CONF_OPT_SIZE we
>> can exceed the buffer size. So the right fix will be check if len >=
>> olen in that case.
>
> We use test tool which sends "Configure Response" packet with size 262
> bytes. So "req" buffer gets overwritten. But in the code nobody checks
> that "req" might be overwritten.
The packet we are sending is:
Bluetooth L2CAP Packet
Length: 266
CID: 0x0001
Command: Configure Response
Command Code: Configure Response (0x05)
Command Identifier: 0x02
Command Length: 262
Source CID: 0x0040
.... .... .... ...0 = Continuation Flag: False
Result: Failure - unacceptable parameters (0x0001)
Option: MTU
Option: MTU
Option: MTU
Option: MTU
Option: MTU
Option: MTU
Option: MTU
Option: MTU
Option: MTU
Option: MTU
.............
We can check of course that parameter MTU is already exist. Still
there is possibility to overwrite 64 bytes of req buffer so some check
is needed.
-- Andrei
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
