Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ

This adds a check for encryption key size upon receiving L2CAP_LE_CONN_REQ which is required by L2CAP/LE/CFC/BV-15-C which expects L2CAP_CR_LE_BAD_KEY_SIZE. Link: https://lore.kernel.org/linux-bluetooth/5782243.rdbgypaU67@n9w6sw14/ Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Tested-by: Christian Eggers <ceggers@arri.de>
author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2026-02-13 13:33:33 -0500
committer: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2026-02-23 16:08:15 -0500
commit: 138d7eca445ef37a0333425d269ee59900ca1104 (patch)
tree: addfa5ee74560fb0918cff496376ca4cd4c26ca7
parent: a8d1d73c81d1e70d2aa49fdaf59d933bb783ffe5 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 90676ca0e92b..2dcc5bb907b8 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4916,6 +4916,13 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
 		goto response_unlock;
 	}
 
+	/* Check if Key Size is sufficient for the security level */
+	if (!l2cap_check_enc_key_size(conn->hcon, pchan)) {
+		result = L2CAP_CR_LE_BAD_KEY_SIZE;
+		chan = NULL;
+		goto response_unlock;
+	}
+
 	/* Check for valid dynamic CID range */
 	if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
 		result = L2CAP_CR_LE_INVALID_SCID;
author	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2026-02-13 13:33:33 -0500
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2026-02-23 16:08:15 -0500
commit	138d7eca445ef37a0333425d269ee59900ca1104 (patch)
tree	addfa5ee74560fb0918cff496376ca4cd4c26ca7
parent	a8d1d73c81d1e70d2aa49fdaf59d933bb783ffe5 (diff)