Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2eea21f2 authored by kuanyuhuang's avatar kuanyuhuang Committed by Tom Huang
Browse files

l2cap: Fix Le Coc payload length checking 

Accroding to Bluetooth Core 5.2 | Vol 3, Part A, 3.4.3.
In LE Coc flow control modes, receiver shall disconnect L2CAP channel when
1. SDU length field value exceeds the receiver's MTU
2. the payload length of any K-frame exceeds the receiver's MPS
3. the sum of the payload lengths for the K-frames exceeds the specified SDU length

Bug: 237503065
Bug: 235195694
Tag: #feature
Test: PTS L2CAP/LE/CFC/BV-26, 27, 28
Change-Id: Ibaac8ec414a53a7c9f31d2f506a851d4fe1f00ab
parent 7026995d

system/stack/l2cap/l2c_fcr.cc

+9 −2
Original line number Diff line number Diff line
@@ -681,8 +681,12 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { 


  /* Buffer length should not exceed local mps */

  if (p_buf->len > p_ccb->local_conn_cfg.mps) {

    /* Discard the buffer */

    LOG_ERROR("buffer length=%d exceeds local mps=%d. Drop and disconnect.",

              p_buf->len, p_ccb->local_conn_cfg.mps);



    /* Discard the buffer and disconnect*/

    osi_free(p_buf);

    l2cu_disconnect_chnl(p_ccb);

    return;

  }
@@ -699,8 +703,11 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { 


    /* Check the SDU Length with local MTU size */

    if (sdu_length > p_ccb->local_conn_cfg.mtu) {

      /* Discard the buffer */

      LOG_ERROR("sdu length=%d exceeds local mtu=%d. Drop and disconnect.",

                sdu_length, p_ccb->local_conn_cfg.mtu);

      /* Discard the buffer and disconnect*/

      osi_free(p_buf);

      l2cu_disconnect_chnl(p_ccb);

      return;

    }