Patch "Bluetooth: L2CAP: Add missing checks for invalid DCID" has been added to the 4.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 10 Jun 2023 22:13:19 -0400

This is a note to let you know that I've just added the patch titled

    Bluetooth: L2CAP: Add missing checks for invalid DCID

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-l2cap-add-missing-checks-for-invalid-dcid.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 5a03f5fcca3e66d77dbc320ebb003e9ddf3d7c6b
Author: Sungwoo Kim <iam@xxxxxxxxxxxx>
Date:   Sat Jun 3 08:28:09 2023 -0400

    Bluetooth: L2CAP: Add missing checks for invalid DCID
    
    [ Upstream commit 75767213f3d9b97f63694d02260b6a49a2271876 ]
    
    When receiving a connect response we should make sure that the DCID is
    within the valid range and that we don't already have another channel
    allocated for the same DCID.
    Missing checks may violate the specification (BLUETOOTH CORE SPECIFICATION
    Version 5.4 | Vol 3, Part A, Page 1046).
    
    Fixes: 40624183c202 ("Bluetooth: L2CAP: Add missing checks for invalid LE DCID")
    Signed-off-by: Sungwoo Kim <iam@xxxxxxxxxxxx>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 281d1b375838a..25d88b8cfae97 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4007,6 +4007,10 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
 	result = __le16_to_cpu(rsp->result);
 	status = __le16_to_cpu(rsp->status);
 
+	if (result == L2CAP_CR_SUCCESS && (dcid < L2CAP_CID_DYN_START ||
+					   dcid > L2CAP_CID_DYN_END))
+		return -EPROTO;
+
 	BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
 	       dcid, scid, result, status);
 
@@ -4038,6 +4042,11 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
 
 	switch (result) {
 	case L2CAP_CR_SUCCESS:
+		if (__l2cap_get_chan_by_dcid(conn, dcid)) {
+			err = -EBADSLT;
+			break;
+		}
+
 		l2cap_state_change(chan, BT_CONFIG);
 		chan->ident = 0;
 		chan->dcid = dcid;






