Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ

[ Upstream commit 138d7eca445ef37a0333425d269ee59900ca1104 ] This adds a check for encryption key size upon receiving L2CAP_LE_CONN_REQ which is required by L2CAP/LE/CFC/BV-15-C which expects L2CAP_CR_LE_BAD_KEY_SIZE. Link: https://lore.kernel.org/linux-bluetooth/5782243.rdbgypaU67@n9w6sw14/ Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Tested-by: Christian Eggers <ceggers@arri.de> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2026-02-13 13:33:33 -0500
committer: Sasha Levin <sashal@kernel.org> 2026-03-04 07:20:40 -0500
commit: 9118601ff90b79e8df3c0c98f48ae00c1b02ecef (patch)
tree: 87979a587a098403392f99fb818dc297ed515c5b /net/bluetooth
parent: 21842c0dc4d39f316dea21ff1fa6db6d0dc0bbe7 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index c0dbad9e8713..7cb438c4ed0d 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5913,6 +5913,13 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
 		goto response_unlock;
 	}
 
+	/* Check if Key Size is sufficient for the security level */
+	if (!l2cap_check_enc_key_size(conn->hcon, pchan)) {
+		result = L2CAP_CR_LE_BAD_KEY_SIZE;
+		chan = NULL;
+		goto response_unlock;
+	}
+
 	/* Check for valid dynamic CID range */
 	if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
 		result = L2CAP_CR_LE_INVALID_SCID;
author	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2026-02-13 13:33:33 -0500
committer	Sasha Levin <sashal@kernel.org>	2026-03-04 07:20:40 -0500
commit	9118601ff90b79e8df3c0c98f48ae00c1b02ecef (patch)
tree	87979a587a098403392f99fb818dc297ed515c5b /net/bluetooth
parent	21842c0dc4d39f316dea21ff1fa6db6d0dc0bbe7 (diff)