diff options
| author | Arkadiusz Lichwa <arkadiusz.lichwa@tieto.com> | 2016-10-12 22:02:28 +0200 |
|---|---|---|
| committer | Johan Hedberg <johan.hedberg@intel.com> | 2016-10-21 07:47:31 +0300 |
| commit | 5f494c63dbfca9e139a017ef5072cddbf2d77c3f (patch) | |
| tree | dedbf7526b2c1039da60e9071fb0c4fd04918ea3 /net | |
| parent | cdebad8942dade0aa30ef0096de4bbe2b2103725 (diff) | |
Bluetooth: L2CAP: Protect fixed channels
During connection fixed channels need to be operational all the time on
the link. Remote malicious user can tailor control packet with proper CID
using disconnection request or response that can cause fixed channel
removal from connection context.
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 16:34:56.157666
Num handles: 1
Handle: 77
Count: 1
> ACL Data RX: Handle 77 flags 0x02 dlen 12 [hci0] 16:34:56.161162
L2CAP: Disconnection Response (0x07) ident 236 len 4
Destination CID: 1
Source CID: 1605
> ACL Data RX: Handle 77 flags 0x02 dlen 12 [hci0] 16:34:56.164916
L2CAP: Disconnection Request (0x06) ident 237 len 4
Destination CID: 0
Source CID: 0
< HCI Command: Host Number of Completed Packets (0x03|0x0035) plen 5 [hci0] 16:34:56.166326
Num handles: 1
Handle: 77
Count: 1
< HCI Command: Host Number of Completed Packets (0x03|0x0035) plen 5 [hci0] 16:34:56.167380
Num handles: 1
Handle: 77
Count: 1
> ACL Data RX: Handle 77 flags 0x02 dlen 10 [hci0] 16:34:56.168660
L2CAP: Information Request (0x0a) ident 238 len 2
Type: Extended features supported (0x0002)
< HCI Command: Host Number of Completed Packets (0x03|0x0035) plen 5 [hci0] 16:34:56.170475
Num handles: 1
Handle: 77
Count: 1
> ACL Data RX: Handle 77 flags 0x02 dlen 10 [hci0] 16:34:58.671203
L2CAP: Information Request (0x0a) ident 239 len 2
Type: Extended features supported (0x0002)
< HCI Command: Host Number of Completed Packets (0x03|0x0035) plen 5 [hci0] 16:34:58.674439
Num handles: 1
Handle: 77
Count: 1
Change-Id: I3df3ec987c7abab8657349a2d5fe67831f528214
Signed-off-by: Arkadiusz Lichwa <arkadiusz.lichwa@tieto.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/bluetooth/l2cap.c | 5 | ||||
| -rw-r--r-- | net/bluetooth/l2cap_br.c | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index cf071e993..d3c349c75 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -664,6 +664,11 @@ static struct bt_l2cap_le_chan *l2cap_remove_tx_cid(struct bt_conn *conn, { struct bt_l2cap_chan *chan, *prev; + /* Protect fixed channels against accidental removal */ + if (!L2CAP_LE_CID_IS_DYN(cid)) { + return NULL; + } + for (chan = conn->channels, prev = NULL; chan; prev = chan, chan = chan->_next) { /* get the app's l2cap object wherein this chan is contained */ diff --git a/net/bluetooth/l2cap_br.c b/net/bluetooth/l2cap_br.c index f9bacd651..dc117817f 100644 --- a/net/bluetooth/l2cap_br.c +++ b/net/bluetooth/l2cap_br.c @@ -1161,6 +1161,11 @@ static struct bt_l2cap_br_chan *l2cap_br_remove_tx_cid(struct bt_conn *conn, { struct bt_l2cap_chan *chan, *prev; + /* Protect fixed channels against accidental removal */ + if (!L2CAP_BR_CID_IS_DYN(cid)) { + return NULL; + } + for (chan = conn->channels, prev = NULL; chan; prev = chan, chan = chan->_next) { /* get the app's l2cap object wherein this chan is contained */ |