Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cf5c4293 authored by Ajay Kumar's avatar Ajay Kumar Committed by Ajay Panicker
Browse files

Handled invalid MTU Size in L2cap Process Commands 

Use case: Execute the L2CAP test suite on Codenomicon tool

(1)From tool Codenomicon Defensics 11 menu Utilities > Bluetooth Scan,
paired Bluetooth between pc and phone.
(2)From Defensics 11 Settings ,choose paired phone Bluetooth to be
Target Bluetooth device address in Basic configuration.
(3)Run the test case " Security - l2cap ".
(4)When run to the number 28, 29 test case,check the phone. BT turn
off and turn on

Failure: BT crash observed due to invalid MTU packets from test tool

Root cause: L2CAP is not validating packets in L2CAP Process Commands

Fix: Fixed by sending reject CMD for invalid commands from tool

Test: code compilation.

Change-Id: I8c503ab77d8fca3728a84c3457d8115e31ee3a13
parent 64c30931

system/stack/l2cap/l2c_main.cc

+7 −1
Original line number Original line Diff line number Diff line
@@ -296,6 +296,12 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
    STREAM_TO_UINT8(id, p);

    STREAM_TO_UINT8(id, p);

    STREAM_TO_UINT16(cmd_len, p);

    STREAM_TO_UINT16(cmd_len, p);





    if (cmd_len > BT_SMALL_BUFFER_SIZE) {

      L2CAP_TRACE_WARNING("L2CAP - Invalid MTU Size");

      l2cu_send_peer_cmd_reject(p_lcb, L2CAP_CMD_REJ_MTU_EXCEEDED, id, 0, 0);

      return;

    }



    /* Check command length does not exceed packet length */

    /* Check command length does not exceed packet length */

    if ((p_next_cmd = p + cmd_len) > p_pkt_end) {

    if ((p_next_cmd = p + cmd_len) > p_pkt_end) {

      L2CAP_TRACE_WARNING("Command len bad  pkt_len: %d  cmd_len: %d  code: %d",

      L2CAP_TRACE_WARNING("Command len bad  pkt_len: %d  cmd_len: %d  code: %d",
@@ -626,7 +632,7 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
        break;

        break;





      case L2CAP_CMD_ECHO_REQ:

      case L2CAP_CMD_ECHO_REQ:

        l2cu_send_peer_echo_rsp(p_lcb, id, NULL, 0);

        l2cu_send_peer_echo_rsp(p_lcb, id, p, cmd_len);

        break;

        break;





      case L2CAP_CMD_ECHO_RSP:

      case L2CAP_CMD_ECHO_RSP: