Merge pull request #102 from andryblack/fix_overflow

l2cap: fix buffer overflow for l2cap config options
2025-04-01 22:20:58 +00:00 · 2018-04-07 11:42:54 +02:00 · 2018-04-07 11:42:54 +02:00 · 15eeb0057d
commit 15eeb0057d
parent 73cd8a2ad6 f2c7079962
1 changed files with 6 additions and 2 deletions
--- a/src/l2cap.c
+++ b/src/l2cap.c
@ -391,7 +391,7 @@ static uint16_t l2cap_setup_options_ertm_request(l2cap_channel_t * channel, uint
    config_options[pos++] = L2CAP_CONFIG_OPTION_TYPE_FRAME_CHECK_SEQUENCE;
    config_options[pos++] = 1;     // length
    config_options[pos++] = channel->fcs_option;
-    return pos;
+    return pos; // 11+4+3=18
 }
 static uint16_t l2cap_setup_options_ertm_response(l2cap_channel_t * channel, uint8_t * config_options){
@ -425,7 +425,7 @@ static uint16_t l2cap_setup_options_ertm_response(l2cap_channel_t * channel, uin
    config_options[pos++] = 1;     // length
    config_options[pos++] = channel->fcs_option;
 #endif
-    return pos;
+    return pos; // 11+4=15
 }
 static int l2cap_ertm_send_supervisor_frame(l2cap_channel_t * channel, uint16_t control){
@ -1376,7 +1376,11 @@ static void l2cap_run(void){
 #endif
 #ifdef ENABLE_CLASSIC
 #ifdef ENABLE_L2CAP_ENHANCED_RETRANSMISSION_MODE
    uint8_t  config_options[18];
 #else
    uint8_t  config_options[10];
 #endif
    btstack_linked_list_iterator_init(&it, &l2cap_channels);
    while (btstack_linked_list_iterator_has_next(&it)){