Reject connection when malformed L2CAP signal packet is received
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
linux (Ubuntu) | Status tracked in Noble | |||||
Jammy |
Fix Released
|
Medium
|
Hui Wang | |||
Mantic |
Fix Released
|
Medium
|
Unassigned | |||
Noble |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The patch is merged in mainline kernel v6.7-rc7, so Noble kernel
already have this fix. And this patch is CCed to <email address hidden>,
M and L kernel will have this fix with the SRU update sooner or later.
For Jammy kernel, an OEM customer is waiting for this patch
to be merged to Jammy kernel and OEM kernel, here I submit the
review reqeust for Jammy only.
[Impact]
An OEM customer want to do the bluetooth profile testing suite (PTS)
test, and they found if sending 2 commands and one of them is "unknown
comands", the bluetooth stack doesn't reply the ack as expected, this
broke the customer's PTS test.
[Fix]
Cherry-pick a mainline kernel patch, this could fix this issue.
[Test]
After applying the patch, test it with PTS:
1. Configure the PTS: set PSM to 0x1011, so that it initiates L2CAP connection
over PSM 0x1011, which is the default PSM for l2test, the testing tool for
L2CAP layer provided by bluez.
2. Set device as connectable:
$ sudo btmgmt connectable on
3. Run l2test on the device in preparation for testing:
$ sudo l2test -d
4. Run the L2CAP/COS/
L2CAP connection automatically.
5. Verify that the test verdict on the PTS is PASS.
And I also tested the patched kernel with 2 bt headsets, 1 bt keyboard and
my mobile phone, all worked as well as before.
[Where problems could occur]
This makes L2CAP implementation more conforming to the specification.
It has possibility to make some bt devices could not work with patched
kernel, but this possibility is very low, I tested the patched kernel
with 2 bt headsets, 1 bt keyboard and my Android mobile phone, all
worked as well as before.
[Impact]
In the qualification test the from the Bluetooth SIG i.e. the
Profile Testing Suite (PTS), in the L2CAP/COS/
packet containing the following L2CAP packets are sent:
1. A malformed L2CAP_CONNECTIO
2. An L2CAP packet with unknown command.
For compliance to the L2CAP specification, BlueZ is expected to send:
1. An L2CAP_CONNECTIO
2. An L2CAP_COMMAND_
However, the later one is not sent.
[Fix]
Clean cherry pick from commit 37b85190ca1ed79
(Bluetooth: L2CAP: Send reject on command corrupted request)
[Test]
After applying the patch, test it with PTS:
1. Configure the PTS: set PSM to 0x1011, so that it initiates L2CAP connection
over PSM 0x1011, which is the default PSM for l2test, the testing tool for
L2CAP layer provided by bluez.
2. Set device as connectable:
$ sudo btmgmt connectable on
3. Run l2test on the device in preparation for testing:
$ sudo l2test -d
4. Run the L2CAP/COS/
L2CAP connection automatically.
5. Verify that the test verdict on the PTS is PASS.
[Where problems could occur]
This makes L2CAP implementation more conforming to the specification.
Changed in linux (Ubuntu Noble): | |
status: | New → Fix Released |
description: | updated |
Changed in linux (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in linux (Ubuntu Mantic): | |
status: | New → In Progress |
Changed in linux (Ubuntu Jammy): | |
importance: | High → Medium |
Changed in linux (Ubuntu Mantic): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Jammy): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Mantic): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-jammy-linux-ibm-gt-fips removed: verification-needed-jammy-linux-ibm-gt-fips |
The patch is merged to mainline kernel v6.7-rc7, and this patch is also CCed to <email address hidden>, so in theory, this patch will be merged to ubuntu kernel (jammy & noble) automatically with the SRU update.