Bluetooth: L2CAP: Fix missing buffer length check for sdu_len

We should verify that the buffer has sufficient data before attempting to parse the SDU length field. If we get a too short packet just disconnect the channel. Fixes #32497 Signed-off-by: Johan Hedberg <[email protected]>
zephyrproject-rtos · Feb 24, 2021 · 0ba9437 · 0ba9437
1 parent e8224c3
commit 0ba9437
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/subsys/bluetooth/host/l2cap.c b/subsys/bluetooth/host/l2cap.c
@@ -2189,6 +2189,12 @@ static void l2cap_chan_le_recv(struct bt_l2cap_le_chan *chan,
 		return;
 	}
 
+	if (buf->len < 2) {
+		BT_WARN("Too short data packet");
+		bt_l2cap_chan_disconnect(&chan->chan);
+		return;
+	}
+
 	sdu_len = net_buf_pull_le16(buf);
 
 	BT_DBG("chan %p len %u sdu_len %u", chan, buf->len, sdu_len);