Skip to content
Browse files

Bluetooth: L2CAP: Fix inverting of SCID and DCID on disconnect

For the request:

DCID shall map to rx.cid:
  'This field specifies the endpoint of the channel to be disconnected
  on the device receiving this request.'

SCID shall map to tx.cid:
  'This field specifies the endpoint of the channel to be disconnected
  on the device sending this request.'

For the response when receiving the roles are inverted.

Fixes #16799

Signed-off-by: Luiz Augusto von Dentz <>
  • Loading branch information...
Vudentz authored and jhedberg committed Jun 11, 2019
1 parent 8a92818 commit e61c5b3630ef013907c62acfdd53180a30cd5ecd
Showing with 11 additions and 11 deletions.
  1. +11 −11 subsys/bluetooth/host/l2cap.c
@@ -883,7 +883,7 @@ static void le_conn_req(struct bt_l2cap *l2cap, u8_t ident,
bt_l2cap_send(conn, BT_L2CAP_CID_LE_SIG, buf);

static struct bt_l2cap_le_chan *l2cap_remove_tx_cid(struct bt_conn *conn,
static struct bt_l2cap_le_chan *l2cap_remove_rx_cid(struct bt_conn *conn,
u16_t cid)
struct bt_l2cap_chan *chan;
@@ -913,18 +913,18 @@ static void le_disconn_req(struct bt_l2cap *l2cap, u8_t ident,
struct bt_l2cap_le_chan *chan;
struct bt_l2cap_disconn_req *req = (void *)buf->data;
struct bt_l2cap_disconn_rsp *rsp;
u16_t scid;
u16_t dcid;

if (buf->len < sizeof(*req)) {
BT_ERR("Too small LE conn req packet size");

scid = sys_le16_to_cpu(req->scid);
dcid = sys_le16_to_cpu(req->dcid);

BT_DBG("scid 0x%04x dcid 0x%04x", scid, sys_le16_to_cpu(req->dcid));
BT_DBG("dcid 0x%04x scid 0x%04x", dcid, sys_le16_to_cpu(req->scid));

chan = l2cap_remove_tx_cid(conn, scid);
chan = l2cap_remove_rx_cid(conn, dcid);
if (!chan) {
struct bt_l2cap_cmd_reject_cid_data data;

@@ -1053,18 +1053,18 @@ static void le_disconn_rsp(struct bt_l2cap *l2cap, u8_t ident,
struct bt_conn *conn = l2cap->chan.chan.conn;
struct bt_l2cap_le_chan *chan;
struct bt_l2cap_disconn_rsp *rsp = (void *)buf->data;
u16_t dcid;
u16_t scid;

if (buf->len < sizeof(*rsp)) {
BT_ERR("Too small LE disconn rsp packet size");

dcid = sys_le16_to_cpu(rsp->dcid);
scid = sys_le16_to_cpu(rsp->scid);

BT_DBG("dcid 0x%04x scid 0x%04x", dcid, sys_le16_to_cpu(rsp->scid));
BT_DBG("dcid 0x%04x scid 0x%04x", sys_le16_to_cpu(rsp->dcid), scid);

chan = l2cap_remove_tx_cid(conn, dcid);
chan = l2cap_remove_rx_cid(conn, scid);
if (!chan) {
@@ -1824,8 +1824,8 @@ int bt_l2cap_chan_disconnect(struct bt_l2cap_chan *chan)
ch->chan.ident, sizeof(*req));

req = net_buf_add(buf, sizeof(*req));
req->dcid = sys_cpu_to_le16(ch->tx.cid);
req->scid = sys_cpu_to_le16(ch->rx.cid);
req->dcid = sys_cpu_to_le16(ch->rx.cid);
req->scid = sys_cpu_to_le16(ch->tx.cid);

l2cap_chan_send_req(ch, buf, L2CAP_DISC_TIMEOUT);
bt_l2cap_chan_set_state(chan, BT_L2CAP_DISCONNECT);

0 comments on commit e61c5b3

Please sign in to comment.
You can’t perform that action at this time.