mirror of https://github.com/torvalds/linux.git
25f420a0d4
l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED
state to support L2CAP reconfiguration (e.g. MTU changes). However,
since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from
the initial configuration, the reconfiguration path falls through to
l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and
retrans_list without freeing the previous allocations and sets
chan->sdu to NULL without freeing the existing skb. This leaks all
previously allocated ERTM resources.
Additionally, l2cap_parse_conf_req() does not validate the minimum
value of remote_mps derived from the RFC max_pdu_size option. A zero
value propagates to l2cap_segment_sdu() where pdu_len becomes zero,
causing the while loop to never terminate since len is never
decremented, exhausting all available memory.
Fix the double-init by skipping l2cap_ertm_init() and
l2cap_chan_ready() when the channel is already in BT_CONNECTED state,
while still allowing the reconfiguration parameters to be updated
through l2cap_parse_conf_req(). Also add a pdu_len zero check in
l2cap_segment_sdu() as a safeguard.
Fixes:
|
||
|---|---|---|
| .. | ||
| bnep | ||
| cmtp | ||
| hidp | ||
| rfcomm | ||
| 6lowpan.c | ||
| Kconfig | ||
| Makefile | ||
| af_bluetooth.c | ||
| aosp.c | ||
| aosp.h | ||
| coredump.c | ||
| ecdh_helper.c | ||
| ecdh_helper.h | ||
| eir.c | ||
| eir.h | ||
| hci_codec.c | ||
| hci_codec.h | ||
| hci_conn.c | ||
| hci_core.c | ||
| hci_debugfs.c | ||
| hci_debugfs.h | ||
| hci_drv.c | ||
| hci_event.c | ||
| hci_sock.c | ||
| hci_sync.c | ||
| hci_sysfs.c | ||
| iso.c | ||
| l2cap_core.c | ||
| l2cap_sock.c | ||
| leds.c | ||
| leds.h | ||
| lib.c | ||
| mgmt.c | ||
| mgmt_config.c | ||
| mgmt_config.h | ||
| mgmt_util.c | ||
| mgmt_util.h | ||
| msft.c | ||
| msft.h | ||
| sco.c | ||
| selftest.c | ||
| selftest.h | ||
| smp.c | ||
| smp.h | ||