Bluetooth: Disconnect L2CAP channel if peer sent too much data

sjanc · sjanc · commit 5846baaa6ade · 2021-11-09T10:25:09.000+01:00
This was affecting L2CAP/LE/CFC/BV-26-C, L2CAP/LE/CFC/BV-27-C,
L2CAP/ECFC/BV-33-C and L2CAP/ECFC/BV-34-C qualification test cases.

Signed-off-by: Szymon Janc &lt;szymon.janc@codecoup.pl&gt;
diff --git a/subsys/bluetooth/host/conn.c b/subsys/bluetooth/host/conn.c
@@ -263,7 +263,13 @@ static void bt_acl_recv(struct bt_conn *conn, struct net_buf *buf,
 
 		if (buf->len > net_buf_tailroom(conn->rx)) {
 			BT_ERR("Not enough buffer space for L2CAP data");
-			bt_conn_reset_rx_state(conn);
+
+			/* Frame is not complete but we still pass it to L2CAP
+			 * so that it may handle error on protocol level
+			 * eg disconnect channel.
+			 */
+			bt_l2cap_recv(conn, conn->rx, false);
+			conn->rx = NULL;
 			net_buf_unref(buf);
 			return;
 		}
@@ -308,7 +314,7 @@ static void bt_acl_recv(struct bt_conn *conn, struct net_buf *buf,
 	conn->rx = NULL;
 
 	BT_DBG("Successfully parsed %u byte L2CAP packet", buf->len);
-	bt_l2cap_recv(conn, buf);
+	bt_l2cap_recv(conn, buf, true);
 }
 
 void bt_conn_recv(struct bt_conn *conn, struct net_buf *buf, uint8_t flags)
diff --git a/subsys/bluetooth/host/l2cap.c b/subsys/bluetooth/host/l2cap.c
@@ -2364,13 +2364,23 @@ static void l2cap_chan_recv_queue(struct bt_l2cap_le_chan *chan,
 }
 #endif /* CONFIG_BT_L2CAP_DYNAMIC_CHANNEL */
 
-static void l2cap_chan_recv(struct bt_l2cap_chan *chan, struct net_buf *buf)
+static void l2cap_chan_recv(struct bt_l2cap_chan *chan, struct net_buf *buf,
+			    bool complete)
 {
 #if defined(CONFIG_BT_L2CAP_DYNAMIC_CHANNEL)
 	struct bt_l2cap_le_chan *ch = BT_L2CAP_LE_CHAN(chan);
 
 	if (L2CAP_LE_CID_IS_DYN(ch->rx.cid)) {
-		l2cap_chan_recv_queue(ch, buf);
+		if (complete) {
+			l2cap_chan_recv_queue(ch, buf);
+		} else {
+			/* if packet was not complete this means peer device
+			 * overflowed our RX and channel shall be disconnected
+			 */
+			bt_l2cap_chan_disconnect(chan);
+			net_buf_unref(buf);
+		}
+
 		return;
 	}
 #endif /* CONFIG_BT_L2CAP_DYNAMIC_CHANNEL */
@@ -2381,7 +2391,7 @@ static void l2cap_chan_recv(struct bt_l2cap_chan *chan, struct net_buf *buf)
 	net_buf_unref(buf);
 }
 
-void bt_l2cap_recv(struct bt_conn *conn, struct net_buf *buf)
+void bt_l2cap_recv(struct bt_conn *conn, struct net_buf *buf, bool complete)
 {
 	struct bt_l2cap_hdr *hdr;
 	struct bt_l2cap_chan *chan;
@@ -2411,7 +2421,7 @@ void bt_l2cap_recv(struct bt_conn *conn, struct net_buf *buf)
 		return;
 	}
 
-	l2cap_chan_recv(chan, buf);
+	l2cap_chan_recv(chan, buf, complete);
 }
 
 int bt_l2cap_update_conn_param(struct bt_conn *conn,
diff --git a/subsys/bluetooth/host/l2cap_internal.h b/subsys/bluetooth/host/l2cap_internal.h
@@ -312,7 +312,7 @@ static inline int bt_l2cap_send(struct bt_conn *conn, uint16_t cid,
 }
 
 /* Receive a new L2CAP PDU from a connection */
-void bt_l2cap_recv(struct bt_conn *conn, struct net_buf *buf);
+void bt_l2cap_recv(struct bt_conn *conn, struct net_buf *buf, bool complete);
 
 /* Perform connection parameter update request */
 int bt_l2cap_update_conn_param(struct bt_conn *conn,

Original file line number	Diff line number	Diff line change
`@@ -2364,13 +2364,23 @@ static void l2cap_chan_recv_queue(struct bt_l2cap_le_chan *chan,`
`2364`	`2364`	`}`
`2365`	`2365`	`#endif /* CONFIG_BT_L2CAP_DYNAMIC_CHANNEL */`
`2366`	`2366`
`2367`		`-static void l2cap_chan_recv(struct bt_l2cap_chan chan, struct net_buf buf)`
	`2367`	`+static void l2cap_chan_recv(struct bt_l2cap_chan chan, struct net_buf buf,`
	`2368`	`+ bool complete)`
`2368`	`2369`	`{`
`2369`	`2370`	`#if defined(CONFIG_BT_L2CAP_DYNAMIC_CHANNEL)`
`2370`	`2371`	`struct bt_l2cap_le_chan *ch = BT_L2CAP_LE_CHAN(chan);`
`2371`	`2372`
`2372`	`2373`	`if (L2CAP_LE_CID_IS_DYN(ch->rx.cid)) {`
`2373`		`- l2cap_chan_recv_queue(ch, buf);`
	`2374`	`+ if (complete) {`
	`2375`	`+ l2cap_chan_recv_queue(ch, buf);`
	`2376`	`+ } else {`
	`2377`	`+ /* if packet was not complete this means peer device`
	`2378`	`+ * overflowed our RX and channel shall be disconnected`
	`2379`	`+ */`
	`2380`	`+ bt_l2cap_chan_disconnect(chan);`
	`2381`	`+ net_buf_unref(buf);`
	`2382`	`+ }`
	`2383`	`+`
`2374`	`2384`	`return;`
`2375`	`2385`	`}`
`2376`	`2386`	`#endif /* CONFIG_BT_L2CAP_DYNAMIC_CHANNEL */`
`@@ -2381,7 +2391,7 @@ static void l2cap_chan_recv(struct bt_l2cap_chan chan, struct net_buf buf)`
`2381`	`2391`	`net_buf_unref(buf);`
`2382`	`2392`	`}`
`2383`	`2393`
`2384`		`-void bt_l2cap_recv(struct bt_conn conn, struct net_buf buf)`
	`2394`	`+void bt_l2cap_recv(struct bt_conn conn, struct net_buf buf, bool complete)`
`2385`	`2395`	`{`
`2386`	`2396`	`struct bt_l2cap_hdr *hdr;`
`2387`	`2397`	`struct bt_l2cap_chan *chan;`
`@@ -2411,7 +2421,7 @@ void bt_l2cap_recv(struct bt_conn conn, struct net_buf buf)`
`2411`	`2421`	`return;`
`2412`	`2422`	`}`
`2413`	`2423`
`2414`		`- l2cap_chan_recv(chan, buf);`
	`2424`	`+ l2cap_chan_recv(chan, buf, complete);`
`2415`	`2425`	`}`
`2416`	`2426`
`2417`	`2427`	`int bt_l2cap_update_conn_param(struct bt_conn *conn,`
Original file line number	Diff line number	Diff line change
`@@ -312,7 +312,7 @@ static inline int bt_l2cap_send(struct bt_conn *conn, uint16_t cid,`
`312`	`312`	`}`
`313`	`313`
`314`	`314`	`/* Receive a new L2CAP PDU from a connection */`
`315`		`-void bt_l2cap_recv(struct bt_conn conn, struct net_buf buf);`
	`315`	`+void bt_l2cap_recv(struct bt_conn conn, struct net_buf buf, bool complete);`
`316`	`316`
`317`	`317`	`/* Perform connection parameter update request */`
`318`	`318`	`int bt_l2cap_update_conn_param(struct bt_conn *conn,`