Impact
When Central device connects to peripheral and creates L2CAP connection for Enhanced ATT, sending some invalid ATT request and disconnecting immediately causes freeze.
Analysis
Sending malformed ATT request on EATT channel and disconnecting L2CAP immediately crashes the Zephyr. It seems that L2CAP channel is already in disconnected state when Zephyr stack calls sent callback l2cap_chan_sdu_sent() and further bt_att_sent(). In bt_att_sent()
crash happens because already freed memory block is being accessed.
From the logs we can see that bt_att_disconnected() and bt_att_released() were called which means that memory regions both att channel and att contexts were freed. For some reason Zephyr master does not dump the bus fault message but just silently freezes. Following screenshot is from v2.5-branch.
Patches
This has been fixed in:
For more information
If you have any questions or comments about this advisory:
created: 2021-03-19
embargo: 2021-06-19
bronallo-bd Analyst
mkarhumaa Analyst
Impact
When Central device connects to peripheral and creates L2CAP connection for Enhanced ATT, sending some invalid ATT request and disconnecting immediately causes freeze.
Analysis
Sending malformed ATT request on EATT channel and disconnecting L2CAP immediately crashes the Zephyr. It seems that L2CAP channel is already in disconnected state when Zephyr stack calls sent callback
l2cap_chan_sdu_sent()and furtherbt_att_sent(). Inbt_att_sent()crash happens because already freed memory block is being accessed.
From the logs we can see that
bt_att_disconnected()andbt_att_released()were called which means that memory regions both att channel and att contexts were freed. For some reason Zephyr master does not dump the bus fault message but just silently freezes. Following screenshot is from v2.5-branch.Patches
This has been fixed in:
For more information
If you have any questions or comments about this advisory:
created: 2021-03-19
embargo: 2021-06-19