Bluetooth: L2CAP: Fix missing buffer length check for sdu_len

We should verify that the buffer has sufficient data before attempting to parse the SDU length field. If we get a too short packet just disconnect the channel. Fixes #32497 Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
zephyrproject-rtos · Mar 23, 2021 · 3a06d3d · 3a06d3d
1 parent 3c1fb27
commit 3a06d3d
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/subsys/bluetooth/host/l2cap.c b/subsys/bluetooth/host/l2cap.c
@@ -2185,6 +2185,12 @@ static void l2cap_chan_le_recv(struct bt_l2cap_le_chan *chan,
 		return;
 	}
 
+	if (buf->len < 2) {
+		BT_WARN("Too short data packet");
+		bt_l2cap_chan_disconnect(&chan->chan);
+		return;
+	}
+
 	sdu_len = net_buf_pull_le16(buf);
 
 	BT_DBG("chan %p len %u sdu_len %u", chan, buf->len, sdu_len);