Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No checks of buffer size in l2cap_chan_le_recv #32497

Closed
villytiger opened this issue Feb 19, 2021 · 1 comment · Fixed by #32588
Closed

No checks of buffer size in l2cap_chan_le_recv #32497

villytiger opened this issue Feb 19, 2021 · 1 comment · Fixed by #32588
Assignees
@jhedberg @joerchan @Vudentz
Labels
area: Bluetooth bug The issue is a bug, or the PR is fixing a bug

Comments

@villytiger
Copy link

Describe the bug

zephyr/subsys/bluetooth/host/l2cap.c

Line 2192 in 80ec938

sdu_len = net_buf_pull_le16(buf); 

static void l2cap_chan_le_recv(struct bt_l2cap_le_chan *chan,
			       struct net_buf *buf)
{
	uint16_t sdu_len;
	int err;

	if (!test_and_dec(&chan->rx.credits)) {
		BT_ERR("No credits to receive packet");
		bt_l2cap_chan_disconnect(&chan->chan);
		return;
	}

	/* Check if segments already exist */
	if (chan->_sdu) {
		l2cap_chan_le_recv_seg(chan, buf);
		return;
	}

	sdu_len = net_buf_pull_le16(buf);

May be I'm missing something. But it looks like net_buf_pull_le16 can read outside of the buffer if a frame has the length fewer than 2. I couldn't find any checks in the callers as well.
@villytiger villytiger added the bug The issue is a bug, or the PR is fixing a bug label Feb 19, 2021
@jhedberg jhedberg mentioned this issue Feb 23, 2021
Merged
@jhedberg
Copy link
Member

@villytiger seems like a valid issue. I created #32588 to try to fix it.

jhedberg pushed a commit to jhedberg/zephyr that referenced this issue Feb 24, 2021
Bluetooth: L2CAP: Fix missing buffer length check for sdu_len
4a0e191 
We should verify that the buffer has sufficient data before attempting
to parse the SDU length field. If we get a too short packet just
disconnect the channel.

Fixes zephyrproject-rtos#32497

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
jhedberg pushed a commit that referenced this issue Feb 24, 2021
@jhedberg
Bluetooth: L2CAP: Fix missing buffer length check for sdu_len
0ba9437 
We should verify that the buffer has sufficient data before attempting
to parse the SDU length field. If we get a too short packet just
disconnect the channel.

Fixes #32497

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
zephyrbot pushed a commit that referenced this issue Mar 19, 2021
@github-actions
Bluetooth: L2CAP: Fix missing buffer length check for sdu_len
c066a6b 
We should verify that the buffer has sufficient data before attempting
to parse the SDU length field. If we get a too short packet just
disconnect the channel.

Fixes #32497

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
zephyrbot pushed a commit that referenced this issue Mar 19, 2021
@github-actions
Bluetooth: L2CAP: Fix missing buffer length check for sdu_len
943d99c 
We should verify that the buffer has sufficient data before attempting
to parse the SDU length field. If we get a too short packet just
disconnect the channel.

Fixes #32497

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
nashif pushed a commit that referenced this issue Mar 22, 2021
@nashif
Bluetooth: L2CAP: Fix missing buffer length check for sdu_len
61682bd 
We should verify that the buffer has sufficient data before attempting
to parse the SDU length field. If we get a too short packet just
disconnect the channel.

Fixes #32497

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
nashif pushed a commit that referenced this issue Mar 23, 2021
@nashif
Bluetooth: L2CAP: Fix missing buffer length check for sdu_len
3a06d3d 
We should verify that the buffer has sufficient data before attempting
to parse the SDU length field. If we get a too short packet just
disconnect the channel.

Fixes #32497

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jhedberg jhedberg

@joerchan joerchan

@Vudentz Vudentz

Labels
area: Bluetooth bug The issue is a bug, or the PR is fixing a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bluetooth: L2CAP: Fix missing buffer length check for sdu_len jhedberg/zephyr
5 participants
@nashif @jhedberg @joerchan @Vudentz @villytiger