Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM

commit dfb6df4bc13d2371a15749c98a36a6ff0caad82a upstream.

The Bluetooth spec states that the valid range for SPSM is from
0x0001-0x00ff so it is invalid to accept values outside of this range:

  BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
  page 1059:
  Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges

CVE: CVE-2022-42896
CC: stable@vger.kernel.org
Reported-by: Tamás Koczka <poprdi@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index afa7fc55555e55940c4316f37616c50c8fad8253..fb2abd0e979a9171e08e87d19c242a1d1cfe2f15 100644 (file)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5571,6 +5571,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
        BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
               scid, mtu, mps);
 
+       /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
+        * page 1059:
+        *
+        * Valid range: 0x0001-0x00ff
+        *
+        * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
+        */
+       if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
+               result = L2CAP_CR_LE_BAD_PSM;
+               chan = NULL;
+               goto response;
+       }
+
        /* Check if we have socket listening on psm */
        pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
                                         &conn->hcon->dst, LE_LINK);