Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ

This adds a check for encryption key size upon receiving
L2CAP_LE_CONN_REQ which is required by L2CAP/LE/CFC/BV-15-C which
expects L2CAP_CR_LE_BAD_KEY_SIZE.

Link: https://lore.kernel.org/linux-bluetooth/5782243.rdbgypaU67@n9w6sw14/
Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Tested-by: Christian Eggers <ceggers@arri.de>

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 90676ca0e92b6802f6f71f4bb486ff4a6cc9339d..2dcc5bb907b853944169da79c2d14ffafc917b52 100644 (file)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4916,6 +4916,13 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
                goto response_unlock;
        }
 
+       /* Check if Key Size is sufficient for the security level */
+       if (!l2cap_check_enc_key_size(conn->hcon, pchan)) {
+               result = L2CAP_CR_LE_BAD_KEY_SIZE;
+               chan = NULL;
+               goto response_unlock;
+       }
+
        /* Check for valid dynamic CID range */
        if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
                result = L2CAP_CR_LE_INVALID_SCID;