Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM

stable inclusion from stable-v5.10.154 commit 6b6f94fb9a74dd2891f11de4e638c6202bc89476 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5ZNPH?from=project-issue CVE: CVE-2022-42896 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6b6f94fb9a74dd2891f11de4e638c6202bc89476 ------------------------------- commit 711f8c3f upstream. The Bluetooth spec states that the valid range for SPSM is from 0x0001-0x00ff so it is invalid to accept values outside of this range: BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A page 1059: Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges CVE: CVE-2022-42896 CC: stable@vger.kernel.org Reported-by: N Tamás Koczka <poprdi@google.com> Signed-off-by: N Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Reviewed-by: N Tedd Ho-Jeong An <tedd.an@intel.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Ziyang Xuan <william.xuanziyang@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
stable inclusion from stable-v5.10.154 commit 6b6f94fb9a74dd2891f11de4e638c6202bc89476 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5ZNPH?from=project-issue CVE: CVE-2022-42896 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6b6f94fb9a74dd2891f11de4e638c6202bc89476 ------------------------------- commit 711f8c3f upstream. The Bluetooth spec states that the valid range for SPSM is from 0x0001-0x00ff so it is invalid to accept values outside of this range: BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A page 1059: Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges CVE: CVE-2022-42896 CC: stable@vger.kernel.org Reported-by: N Tamás Koczka <poprdi@google.com> Signed-off-by: N Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Reviewed-by: N Tedd Ho-Jeong An <tedd.an@intel.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Ziyang Xuan <william.xuanziyang@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
50fab21f · Luiz Augusto von Dentz · Zheng Zengkai · 9ac5ca2b · 50fab21f
隐藏空白更改
内联并排

Showing with 25 addition and 0 deletion

net/bluetooth/l2cap_core.c net/bluetooth/l2cap_core.c +25 -0

未找到文件。
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5800,6 +5800,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
 	BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
 	       scid, mtu, mps);
+	/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
+	 * page 1059:
+	 *
+	 * Valid range: 0x0001-0x00ff
+	 *
+	 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
+	 */
+	if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
+		result = L2CAP_CR_LE_BAD_PSM;
+		chan = NULL;
+		goto response;
+	}
 	/* Check if we have socket listening on psm */
 	pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
 					 &conn->hcon->dst, LE_LINK);
@@ -5980,6 +5993,18 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
 	psm  = req->psm;
+	/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
+	 * page 1059:
+	 *
+	 * Valid range: 0x0001-0x00ff
+	 *
+	 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
+	 */
+	if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
+		result = L2CAP_CR_LE_BAD_PSM;
+		goto response;
+	}
 	BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
 	memset(&pdu, 0, sizeof(pdu));