Bluetooth: Disconnect L2CAP channel if peer sent too much data

sjanc · nashif · commit b156e0fadc06 · 2021-11-30T07:19:53.000-05:00
This was affecting L2CAP/LE/CFC/BV-26-C, L2CAP/LE/CFC/BV-27-C,
L2CAP/ECFC/BV-33-C and L2CAP/ECFC/BV-34-C qualification test cases.

Signed-off-by: Szymon Janc &lt;szymon.janc@codecoup.pl&gt;
diff --git a/subsys/bluetooth/host/conn.c b/subsys/bluetooth/host/conn.c
@@ -263,7 +263,13 @@ static void bt_acl_recv(struct bt_conn *conn, struct net_buf *buf,
 
 		if (buf->len > net_buf_tailroom(conn->rx)) {
 			BT_ERR("Not enough buffer space for L2CAP data");
-			bt_conn_reset_rx_state(conn);
+
+			/* Frame is not complete but we still pass it to L2CAP
+			 * so that it may handle error on protocol level
+			 * eg disconnect channel.
+			 */
+			bt_l2cap_recv(conn, conn->rx, false);
+			conn->rx = NULL;
 			net_buf_unref(buf);
 			return;
 		}
@@ -308,7 +314,7 @@ static void bt_acl_recv(struct bt_conn *conn, struct net_buf *buf,
 	conn->rx = NULL;
 
 	BT_DBG("Successfully parsed %u byte L2CAP packet", buf->len);
-	bt_l2cap_recv(conn, buf);
+	bt_l2cap_recv(conn, buf, true);
 }
 
 void bt_conn_recv(struct bt_conn *conn, struct net_buf *buf, uint8_t flags)
diff --git a/subsys/bluetooth/host/l2cap.c b/subsys/bluetooth/host/l2cap.c
@@ -2396,13 +2396,23 @@ static void l2cap_chan_recv_queue(struct bt_l2cap_le_chan *chan,
 }
 #endif /* CONFIG_BT_L2CAP_DYNAMIC_CHANNEL */
 
-static void l2cap_chan_recv(struct bt_l2cap_chan *chan, struct net_buf *buf)
+static void l2cap_chan_recv(struct bt_l2cap_chan *chan, struct net_buf *buf,
+			    bool complete)
 {
 #if defined(CONFIG_BT_L2CAP_DYNAMIC_CHANNEL)
 	struct bt_l2cap_le_chan *ch = BT_L2CAP_LE_CHAN(chan);
 
 	if (L2CAP_LE_CID_IS_DYN(ch->rx.cid)) {
-		l2cap_chan_recv_queue(ch, buf);
+		if (complete) {
+			l2cap_chan_recv_queue(ch, buf);
+		} else {
+			/* if packet was not complete this means peer device
+			 * overflowed our RX and channel shall be disconnected
+			 */
+			bt_l2cap_chan_disconnect(chan);
+			net_buf_unref(buf);
+		}
+
 		return;
 	}
 #endif /* CONFIG_BT_L2CAP_DYNAMIC_CHANNEL */
@@ -2413,7 +2423,7 @@ static void l2cap_chan_recv(struct bt_l2cap_chan *chan, struct net_buf *buf)
 	net_buf_unref(buf);
 }
 
-void bt_l2cap_recv(struct bt_conn *conn, struct net_buf *buf)
+void bt_l2cap_recv(struct bt_conn *conn, struct net_buf *buf, bool complete)
 {
 	struct bt_l2cap_hdr *hdr;
 	struct bt_l2cap_chan *chan;
@@ -2443,7 +2453,7 @@ void bt_l2cap_recv(struct bt_conn *conn, struct net_buf *buf)
 		return;
 	}
 
-	l2cap_chan_recv(chan, buf);
+	l2cap_chan_recv(chan, buf, complete);
 }
 
 int bt_l2cap_update_conn_param(struct bt_conn *conn,
diff --git a/subsys/bluetooth/host/l2cap_internal.h b/subsys/bluetooth/host/l2cap_internal.h
@@ -312,7 +312,7 @@ static inline int bt_l2cap_send(struct bt_conn *conn, uint16_t cid,
 }
 
 /* Receive a new L2CAP PDU from a connection */
-void bt_l2cap_recv(struct bt_conn *conn, struct net_buf *buf);
+void bt_l2cap_recv(struct bt_conn *conn, struct net_buf *buf, bool complete);
 
 /* Perform connection parameter update request */
 int bt_l2cap_update_conn_param(struct bt_conn *conn,

Original file line number	Diff line number	Diff line change
`@@ -2396,13 +2396,23 @@ static void l2cap_chan_recv_queue(struct bt_l2cap_le_chan *chan,`
`2396`	`2396`	`}`
`2397`	`2397`	`#endif /* CONFIG_BT_L2CAP_DYNAMIC_CHANNEL */`
`2398`	`2398`
`2399`		`-static void l2cap_chan_recv(struct bt_l2cap_chan chan, struct net_buf buf)`
	`2399`	`+static void l2cap_chan_recv(struct bt_l2cap_chan chan, struct net_buf buf,`
	`2400`	`+ bool complete)`
`2400`	`2401`	`{`
`2401`	`2402`	`#if defined(CONFIG_BT_L2CAP_DYNAMIC_CHANNEL)`
`2402`	`2403`	`struct bt_l2cap_le_chan *ch = BT_L2CAP_LE_CHAN(chan);`
`2403`	`2404`
`2404`	`2405`	`if (L2CAP_LE_CID_IS_DYN(ch->rx.cid)) {`
`2405`		`- l2cap_chan_recv_queue(ch, buf);`
	`2406`	`+ if (complete) {`
	`2407`	`+ l2cap_chan_recv_queue(ch, buf);`
	`2408`	`+ } else {`
	`2409`	`+ /* if packet was not complete this means peer device`
	`2410`	`+ * overflowed our RX and channel shall be disconnected`
	`2411`	`+ */`
	`2412`	`+ bt_l2cap_chan_disconnect(chan);`
	`2413`	`+ net_buf_unref(buf);`
	`2414`	`+ }`
	`2415`	`+`
`2406`	`2416`	`return;`
`2407`	`2417`	`}`
`2408`	`2418`	`#endif /* CONFIG_BT_L2CAP_DYNAMIC_CHANNEL */`
`@@ -2413,7 +2423,7 @@ static void l2cap_chan_recv(struct bt_l2cap_chan chan, struct net_buf buf)`
`2413`	`2423`	`net_buf_unref(buf);`
`2414`	`2424`	`}`
`2415`	`2425`
`2416`		`-void bt_l2cap_recv(struct bt_conn conn, struct net_buf buf)`
	`2426`	`+void bt_l2cap_recv(struct bt_conn conn, struct net_buf buf, bool complete)`
`2417`	`2427`	`{`
`2418`	`2428`	`struct bt_l2cap_hdr *hdr;`
`2419`	`2429`	`struct bt_l2cap_chan *chan;`
`@@ -2443,7 +2453,7 @@ void bt_l2cap_recv(struct bt_conn conn, struct net_buf buf)`
`2443`	`2453`	`return;`
`2444`	`2454`	`}`
`2445`	`2455`
`2446`		`- l2cap_chan_recv(chan, buf);`
	`2456`	`+ l2cap_chan_recv(chan, buf, complete);`
`2447`	`2457`	`}`
`2448`	`2458`
`2449`	`2459`	`int bt_l2cap_update_conn_param(struct bt_conn *conn,`
Original file line number	Diff line number	Diff line change
`@@ -312,7 +312,7 @@ static inline int bt_l2cap_send(struct bt_conn *conn, uint16_t cid,`
`312`	`312`	`}`
`313`	`313`
`314`	`314`	`/* Receive a new L2CAP PDU from a connection */`
`315`		`-void bt_l2cap_recv(struct bt_conn conn, struct net_buf buf);`
	`315`	`+void bt_l2cap_recv(struct bt_conn conn, struct net_buf buf, bool complete);`
`316`	`316`
`317`	`317`	`/* Perform connection parameter update request */`
`318`	`318`	`int bt_l2cap_update_conn_param(struct bt_conn *conn,`