host/l2cap: disconnect peer that sends L2CAP packets with hdr len > mtu

KKopyscinski · KKopyscinski · commit 1969ca311277 · 2021-12-10T10:18:35.000+01:00
Rest of the checks disconnects peer if SDU size exceeds MTU, but value
in header is OK. We should also disconnect if PDU lenght in L2CAP packet
header exceeds it, regardles of how much data it actually contains, not
just return error.

This is affecting L2CAP/LE/CFC/BV-26-C and L2CAP/ECFC/BV-33-C
diff --git a/nimble/host/src/ble_l2cap.c b/nimble/host/src/ble_l2cap.c
@@ -393,8 +393,11 @@ ble_l2cap_rx(struct ble_hs_conn *conn,
         }
 
         if (l2cap_hdr.len > ble_l2cap_get_mtu(chan)) {
-            /* More data then we expected on the channel */
+            /* More data than we expected on the channel.
+             * Disconnect peer with invalid behaviour
+             */
             rc = BLE_HS_EBADDATA;
+            ble_l2cap_disconnect(chan);
             goto err;
         }
 

Original file line number	Diff line number	Diff line change
`@@ -393,8 +393,11 @@ ble_l2cap_rx(struct ble_hs_conn *conn,`
`393`	`393`	`}`
`394`	`394`
`395`	`395`	`if (l2cap_hdr.len > ble_l2cap_get_mtu(chan)) {`
`396`		`- /* More data then we expected on the channel */`
	`396`	`+ /* More data than we expected on the channel.`
	`397`	`+ * Disconnect peer with invalid behaviour`
	`398`	`+ */`
`397`	`399`	`rc = BLE_HS_EBADDATA;`
	`400`	`+ ble_l2cap_disconnect(chan);`
`398`	`401`	`goto err;`
`399`	`402`	`}`
`400`	`403`