Bluetooth: host: l2cap: don't send too much credits

There was an edge-case where we were sending back too much credits, add a
check so we can't do that anymore.

Signed-off-by: Jonathan Rico <[email protected]>

Author: jori-nordic

subsys/bluetooth/host/l2cap.c

@@ -2258,6 +2258,7 @@ static void l2cap_chan_send_credits(struct bt_l2cap_le_chan *chan,
 				    struct net_buf *buf, uint16_t credits)
 {
 	struct bt_l2cap_le_credits *ev;
+	uint16_t old_credits;
 
 	__ASSERT_NO_MSG(bt_l2cap_chan_get_state(&chan->chan) == BT_L2CAP_CONNECTED);
 
@@ -2266,6 +2267,12 @@ static void l2cap_chan_send_credits(struct bt_l2cap_le_chan *chan,
 		credits = chan->rx.init_credits;
 	}
 
+	/* Don't send back more than the initial amount. */
+	old_credits = atomic_get(&chan->rx.credits);
+	if (credits + old_credits > chan->rx.init_credits) {
+		credits = chan->rx.init_credits - old_credits;
+	}
+
 	buf = l2cap_create_le_sig_pdu(buf, BT_L2CAP_LE_CREDITS, get_ident(),
 				      sizeof(*ev));
 	if (!buf) {
@@ -2298,6 +2305,8 @@ static void l2cap_chan_update_credits(struct bt_l2cap_le_chan *chan,
 	credits = ((chan->_sdu_len - net_buf_frags_len(buf)) +
 		   (chan->rx.mps - 1)) / chan->rx.mps;
 
+	BT_DBG("cred %d old %d", credits, (int)old_credits);
+
 	if (credits < old_credits) {
 		return;
 	}