Bluetooth: HCI: Handle invalid ACL flags.

Handle invalid ACL flags in HCI transport.
Only Point to Point is supported over HCI in both directions.
Fix flushable start HCI ACL packets not allowed on LE-U connections
from Host to controller.

Signed-off-by: Joakim Andersson <[email protected]>

Author: joerchan

subsys/bluetooth/controller/hci/hci.c

@@ -2336,11 +2336,24 @@ int hci_acl_handle(struct net_buf *buf, struct net_buf **evt)
 
 	pdu_data = (void *)node_tx->pdu;
 
-	if (flags == BT_ACL_START_NO_FLUSH || flags == BT_ACL_START) {
+	if (bt_acl_flags_bc(flags) != BT_ACL_POINT_TO_POINT) {
+		return -EINVAL;
+	}
+
+	switch (bt_acl_flags_pb(flags)) {
+	case BT_ACL_START_NO_FLUSH:
 		pdu_data->ll_id = PDU_DATA_LLID_DATA_START;
-	} else {
+		break;
+	case BT_ACL_CONT:
 		pdu_data->ll_id = PDU_DATA_LLID_DATA_CONTINUE;
+		break;
+	default:
+		/* BT_ACL_START and BT_ACL_COMPLETE not allowed on LE-U
+		 * from Host to Controller
+		 */
+		return -EINVAL;
 	}
+
 	pdu_data->len = len;
 	memcpy(&pdu_data->lldata[0], buf->data, len);
 

subsys/bluetooth/host/conn.c

@@ -1168,6 +1168,10 @@ void bt_conn_recv(struct bt_conn *conn, struct net_buf *buf, u8_t flags)
 
 		break;
 	default:
+		/* BT_ACL_START_NO_FLUSH and BT_ACL_COMPLETE are not allowed on
+		 * LE-U from Controller to Host.
+		 * Only BT_ACL_POINT_TO_POINT is supported.
+		 */
 		BT_ERR("Unexpected ACL flags (0x%02x)", flags);
 		bt_conn_reset_rx_state(conn);
 		net_buf_unref(buf);