[BUG 0 / 6] L2cap: Spec violations

From: Sungwoo Kim
Date: Thu Nov 17 2022 - 22:52:47 EST

Next message: Gustavo A. R. Silva: "Re: [PATCH] hpet: Replace one-element array with flexible-array member"
Previous message: Kees Cook: "[PATCH v2 0/2] slab: Provide full coverage for __alloc_size attribute"
Next in thread: Sungwoo Kim: "[BUG 1 / 6] L2cap: Spec violations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,
Our fuzzer found six spec violations, illegal state transition.

1. BT_CONNECT2 -> BT_CONFIG by L2CAP_CONN_RSP
2. BT_CONNECT2 -> BT_CONNECTED by L2CAP_CONF_RSP
3. BT_CONNECT2 -> BT_DISCONN by L2CAP_CONF_RSP
4. BT_CONNECTED -> BT_CONFIG by L2CAP_CONN_RSP
5. BT_DISCONN -> BT_CONFIG by L2CAP_CONN_RSP
6. BT_DISCONN -> BT_CONNECTED by L2CAP_CONN_RSP

All expected behaviors are ignoring incoming packets as described in
the spec v5.3 | Vol 3, Part A 6. STATE MACHINE.
Also, I assumed BT_CONNECT2 is corresponding to WAIT_CONNECT in the spec.

Next message: Gustavo A. R. Silva: "Re: [PATCH] hpet: Replace one-element array with flexible-array member"
Previous message: Kees Cook: "[PATCH v2 0/2] slab: Provide full coverage for __alloc_size attribute"
Next in thread: Sungwoo Kim: "[BUG 1 / 6] L2cap: Spec violations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]