diff mbox series

[v1] Bluetooth: L2CAP: Fix not restricting bind to fixed CIDs

Message ID 20241011184722.38617-1-luiz.dentz@gmail.com
State New
Headers show
Series [v1] Bluetooth: L2CAP: Fix not restricting bind to fixed CIDs | expand

Commit Message

Luiz Augusto von Dentz Oct. 11, 2024, 6:47 p.m. UTC
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Fixed CIDs are also CIG assigned and subjected to qualification so they
shall be restricted the same way as to fixed PSMs.

Link: https://github.com/bluez/bluez/issues/972#issuecomment-2407919977
Fixes: bfe4655f05d7 ("Bluetooth: Reintroduce socket restrictions for LE sockets")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 net/bluetooth/l2cap_sock.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)
diff mbox series

Patch

diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index ba437c6f6ee5..1aafa6a5566c 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -132,10 +132,15 @@  static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
 	bacpy(&chan->src, &la.l2_bdaddr);
 	chan->src_type = la.l2_bdaddr_type;
 
-	if (la.l2_cid)
-		err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
-	else
+	if (la.l2_cid) {
+		/* Restrict fixed CIDs to CAP_NET_BIND_SERVICE */
+		if (!capable(CAP_NET_BIND_SERVICE))
+			err = -EACCES;
+		else
+			err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
+	} else {
 		err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
+	}
 
 	if (err < 0)
 		goto done;