[PATCH 6.19 475/844] Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ

Next message: Sasha Levin: "[PATCH 6.19 488/844] net: Drop the lock in skb_may_tx_timestamp()"
Previous message: Sasha Levin: "[PATCH 6.19 486/844] RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port"
In reply to: Sasha Levin: "[PATCH 6.19 486/844] RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port"
Next in thread: Sasha Levin: "[PATCH 6.19 488/844] net: Drop the lock in skb_may_tx_timestamp()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sasha Levin

Date: Sat Feb 28 2026 - 15:22:10 EST

From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>

[ Upstream commit 138d7eca445ef37a0333425d269ee59900ca1104 ]

This adds a check for encryption key size upon receiving
L2CAP_LE_CONN_REQ which is required by L2CAP/LE/CFC/BV-15-C which
expects L2CAP_CR_LE_BAD_KEY_SIZE.

Link: https://lore.kernel.org/linux-bluetooth/5782243.rdbgypaU67@n9w6sw14/
Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Tested-by: Christian Eggers <ceggers@xxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
net/bluetooth/l2cap_core.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 29af3f63e89ce..72a4bb1fee46a 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4900,6 +4900,13 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
goto response_unlock;
}

+ /* Check if Key Size is sufficient for the security level */
+ if (!l2cap_check_enc_key_size(conn->hcon, pchan)) {
+ result = L2CAP_CR_LE_BAD_KEY_SIZE;
+ chan = NULL;
+ goto response_unlock;
+ }
+
/* Check for valid dynamic CID range */
if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
result = L2CAP_CR_LE_INVALID_SCID;
--
2.51.0