This is an automated email from the ASF dual-hosted git repository. janc pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mynewt-nimble.git
The following commit(s) were added to refs/heads/master by this push: new 09466ab8 host/l2cap: disconnect if received packet is larger than MPS 09466ab8 is described below commit 09466ab8105905388f5e800b722e4801de90560f Author: Krzysztof Kopyściński <krzysztof.kopyscin...@codecoup.pl> AuthorDate: Tue Jul 20 14:11:53 2021 +0200 host/l2cap: disconnect if received packet is larger than MPS Peer sending packet larger than MPS is invalid, and should be met with L2CAP channel disconnection. This affects L2CAP/LE/CFC/BV-27-C --- nimble/host/src/ble_l2cap.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/nimble/host/src/ble_l2cap.c b/nimble/host/src/ble_l2cap.c index fb1a6176..810d07b3 100644 --- a/nimble/host/src/ble_l2cap.c +++ b/nimble/host/src/ble_l2cap.c @@ -388,6 +388,16 @@ ble_l2cap_rx(struct ble_hs_conn *conn, goto err; } + /* For CIDs from dynamic range we check if SDU size isn't larger than MPS */ + if (chan->dcid >= 0x0040 && chan->dcid <= 0x007F && l2cap_hdr.len > chan->my_coc_mps) { + /* Data exceeds MPS */ + BLE_HS_LOG(ERROR, "error: sdu_len > chan->my_coc_mps (%d>%d)\n", + l2cap_hdr.len, chan->my_coc_mps); + ble_l2cap_disconnect(chan); + rc = BLE_HS_EBADDATA; + goto err; + } + if (chan->rx_buf != NULL) { /* Previous data packet never completed. Discard old packet. */ ble_l2cap_remove_rx(conn, chan);