Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ

[ Upstream commit 138d7eca445ef37a0333425d269ee59900ca1104 ] This adds a check for encryption key size upon receiving L2CAP_LE_CONN_REQ which is required by L2CAP/LE/CFC/BV-15-C which expects L2CAP_CR_LE_BAD_KEY_SIZE. Link: https://lore.kernel.org/linux-bluetooth/5782243.rdbgypaU67@n9w6sw14/ Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Tested-by: Christian Eggers <ceggers@arri.de> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2026-02-13 13:33:33 -0500
committer: Sasha Levin <sashal@kernel.org> 2026-03-04 07:21:00 -0500
commit: 481ea39b342c347b6ac029f3d418486280be4e45 (patch)
tree: 73a1a04752bc0a4ff6bd492768aa63872a7c0ef7 /net
parent: efcdb4da480c760fba56b41c0a71169398c91a49 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index dbe78805e8f0..0cbd6c292123 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4863,6 +4863,13 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
 		goto response_unlock;
 	}
 
+	/* Check if Key Size is sufficient for the security level */
+	if (!l2cap_check_enc_key_size(conn->hcon, pchan)) {
+		result = L2CAP_CR_LE_BAD_KEY_SIZE;
+		chan = NULL;
+		goto response_unlock;
+	}
+
 	/* Check for valid dynamic CID range */
 	if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
 		result = L2CAP_CR_LE_INVALID_SCID;
author	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2026-02-13 13:33:33 -0500
committer	Sasha Levin <sashal@kernel.org>	2026-03-04 07:21:00 -0500
commit	481ea39b342c347b6ac029f3d418486280be4e45 (patch)
tree	73a1a04752bc0a4ff6bd492768aa63872a7c0ef7 /net
parent	efcdb4da480c760fba56b41c0a71169398c91a49 (diff)