From 3808ad0a96d4ddaa0ea64d4bc4d9800a5747ac63 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Mon, 7 Nov 2016 14:01:13 +0200
Subject: [PATCH] Bluetooth: L2CAP: Limit segments to TX MPS

le_data buffers are no longer limited to the minimun of 23 bytes, instead
it uses CONFIG_BLUETOOTH_L2CAP_IN_MTU which means it can be bigger than
the MPS thus causing invalid data to be sent:

> ACL Data RX: Handle 64 flags 0x02 dlen 18
      LE L2CAP: LE Connection Request (0x14) ident 1 len 10
        PSM: 128 (0x0080)
        Source CID: 64
        MTU: 672
        MPS: 23
        Credits: 65535
< ACL Data TX: Handle 64 flags 0x00 dlen 18
      LE L2CAP: LE Connection Response (0x15) ident 1 len 10
        Destination CID: 64
        MTU: 230
        MPS: 65
        Credits: 4
        Result: Connection successful (0x0000)
< ACL Data TX: Handle 64 flags 0x00 dlen 27
< ACL Data TX: Handle 64 flags 0x01 dlen 2
      Channel: 64 len 25 [PSM 128 mode 0] {chan 0}
        3c 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff  <...............
        ff ff ff ff ff ff ff ff ff

JIRA: ZEP-1219

Change-Id: Id67f1faac8766c66aa24c7421d44112434666a10
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 subsys/bluetooth/host/l2cap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/subsys/bluetooth/host/l2cap.c b/subsys/bluetooth/host/l2cap.c
index 542e6e8b07e..aea18d44cbd 100644
--- a/subsys/bluetooth/host/l2cap.c
+++ b/subsys/bluetooth/host/l2cap.c
@@ -1614,7 +1614,8 @@ segment:
 		net_buf_add_le16(seg, net_buf_frags_len(buf));
 	}
 
-	len = min(min(buf->len, BT_L2CAP_MAX_LE_MPS - sdu_hdr_len), ch->tx.mps);
+	/* Don't send more that TX MPS including SDU length */
+	len = min(buf->len, ch->tx.mps - sdu_hdr_len);
 	memcpy(net_buf_add(seg, len), buf->data, len);
 	net_buf_pull(buf, len);