Bluetooth: L2CAP: Fix missing buffer length check for sdu_len
We should verify that the buffer has sufficient data before attempting to parse the SDU length field. If we get a too short packet just disconnect the channel. Fixes #32497 Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
This commit is contained in:
parent
e8224c3a08
commit
0ba9437938
1 changed files with 6 additions and 0 deletions
|
@ -2189,6 +2189,12 @@ static void l2cap_chan_le_recv(struct bt_l2cap_le_chan *chan,
|
|||
return;
|
||||
}
|
||||
|
||||
if (buf->len < 2) {
|
||||
BT_WARN("Too short data packet");
|
||||
bt_l2cap_chan_disconnect(&chan->chan);
|
||||
return;
|
||||
}
|
||||
|
||||
sdu_len = net_buf_pull_le16(buf);
|
||||
|
||||
BT_DBG("chan %p len %u sdu_len %u", chan, buf->len, sdu_len);
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue