Hi Ismagil,
On Tue, Jul 8, 2025 at 7:13 AM Ismagil Iskakov <i.iskakov@xxxxxx> wrote:
>
> Arrays inside l2cap_set_lm/rfcomm_set_lm functions are of size 4,
> but the bounds check allows the value 4 for 'level'.
> ---
> btio/btio.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/btio/btio.c b/btio/btio.c
> index b8afe0580..14f2b700e 100644
> --- a/btio/btio.c
> +++ b/btio/btio.c
> @@ -455,7 +455,7 @@ static gboolean set_sec_level(int sock, BtIOType type, int level, GError **err)
> struct bt_security sec;
> int ret;
>
> - if (level < BT_SECURITY_LOW || level > BT_SECURITY_FIPS) {
> + if (level < BT_SECURITY_LOW || level > BT_SECURITY_HIGH) {
> g_set_error(err, BT_IO_ERROR, EINVAL,
> "Valid security level range is %d-%d",
> BT_SECURITY_LOW, BT_SECURITY_HIGH);
> --
> 2.34.1
Yeah, while this handles the likes of l2cap_set_lm/rfcomm_set_lm this
also would disallow FIPS (level 4) security, the right fix here is to
probably bail out with an error after attempting BT_SECURITY if
BT_SECURITY_FIPS has been given.
--
Luiz Augusto von Dentz
