From 1fcd10b705c525077beb446673779adf630a88cf Mon Sep 17 00:00:00 2001 From: Matthias Ringwald Date: Mon, 2 Oct 2017 11:50:32 +0200 Subject: [PATCH] l2cap: fix regression in LE Signaling Len check for Connection Update Request/Response in adcfabadef2147ecee52ccbc9ab695b6df44e568 --- src/l2cap.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/src/l2cap.c b/src/l2cap.c index ea6f68e9e..173146c2c 100644 --- a/src/l2cap.c +++ b/src/l2cap.c @@ -2573,20 +2573,13 @@ static int l2cap_le_signaling_handler_dispatch(hci_con_handle_t handle, uint8_t uint8_t code = command[L2CAP_SIGNALING_COMMAND_CODE_OFFSET]; uint16_t len = little_endian_read_16(command, L2CAP_SIGNALING_COMMAND_LENGTH_OFFSET); - log_info("l2cap_le_signaling_handler_dispatch: command 0x%02x, sig id %u", code, sig_id); + log_info("l2cap_le_signaling_handler_dispatch: command 0x%02x, sig id %u, len %u", code, sig_id, len); switch (code){ - case CONNECTION_PARAMETER_UPDATE_RESPONSE: - // check size - if (len < 8) return 0; - result = little_endian_read_16(command, 4); - l2cap_emit_connection_parameter_update_response(handle, result); - break; - case CONNECTION_PARAMETER_UPDATE_REQUEST: // check size - if (len < 2) return 0; + if (len < 8) return 0; connection = hci_connection_for_handle(handle); if (connection){ if (connection->role != HCI_ROLE_MASTER){ @@ -2631,6 +2624,13 @@ static int l2cap_le_signaling_handler_dispatch(hci_con_handle_t handle, uint8_t (*l2cap_event_packet_handler)( HCI_EVENT_PACKET, 0, event, sizeof(event)); break; + case CONNECTION_PARAMETER_UPDATE_RESPONSE: + // check size + if (len < 2) return 0; + result = little_endian_read_16(command, 4); + l2cap_emit_connection_parameter_update_response(handle, result); + break; + #ifdef ENABLE_LE_DATA_CHANNELS case COMMAND_REJECT: