Skip to content

Commit de56c3a

Browse files
committed
host/l2cap_sig: do not permit duplicated CID in connect response
If peer sends L2CAP connect response with duplicated DCID connection should not be created on that channel and existing channel of this CID shall be disconnected. This is affecting L2CAP/ECFC/BV-29-C
1 parent 1969ca3 commit de56c3a

File tree

1 file changed

+17
-0
lines changed

1 file changed

+17
-0
lines changed

nimble/host/src/ble_l2cap_sig.c

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1048,6 +1048,7 @@ ble_l2cap_sig_credit_base_con_rsp_rx(uint16_t conn_handle,
10481048
struct ble_hs_conn *conn;
10491049
int rc;
10501050
int i;
1051+
uint16_t duplicated_cids[5] = {};
10511052

10521053
#if !BLE_MONITOR
10531054
BLE_HS_LOG(DEBUG, "L2CAP LE COC connection response received\n");
@@ -1093,6 +1094,12 @@ ble_l2cap_sig_credit_base_con_rsp_rx(uint16_t conn_handle,
10931094
chan->dcid = 0;
10941095
continue;
10951096
}
1097+
if (ble_hs_conn_chan_find_by_dcid(conn, rsp->dcids[i])) {
1098+
duplicated_cids[i] = rsp->dcids[i];
1099+
chan->dcid = 0;
1100+
continue;
1101+
}
1102+
10961103
chan->peer_coc_mps = le16toh(rsp->mps);
10971104
chan->dcid = le16toh(rsp->dcids[i]);
10981105
chan->coc_tx.mtu = le16toh(rsp->mtu);
@@ -1104,6 +1111,16 @@ ble_l2cap_sig_credit_base_con_rsp_rx(uint16_t conn_handle,
11041111
ble_hs_unlock();
11051112

11061113
done:
1114+
for (i = 0; i < 5; i++){
1115+
if (duplicated_cids[i] != 0){
1116+
ble_hs_lock();
1117+
conn = ble_hs_conn_find(conn_handle);
1118+
chan = ble_hs_conn_chan_find_by_dcid(conn, duplicated_cids[i]);
1119+
ble_hs_unlock();
1120+
rc = ble_l2cap_sig_disconnect(chan);
1121+
}
1122+
}
1123+
11071124
ble_l2cap_sig_coc_connect_cb(proc, rc);
11081125
ble_l2cap_sig_proc_free(proc);
11091126

0 commit comments

Comments
 (0)