Linux Kernel Bluetooth L2CAP ERTM Resource Leak and Denial-of-Service Vulnerability

A vulnerability in the Linux kernel's Bluetooth L2CAP implementation has been addressed. The issue involved improper handling of the Enhanced Retransmission Mode (ERTM) configuration, leading to a resource leak and a denial-of-service condition. When reconfiguring L2CAP channels in the 'BT_CONNECTED' state, the process inadvertently re-initialized ERTM resources without freeing the previously allocated memory, causing a memory leak. Additionally, the lack of validation for the maximum PDU size option allowed a zero value to propagate through the configuration request handling, leading to an infinite loop that exhausted available memory.

Impact

Exploitation of this vulnerability could lead to a memory leak of ERTM resources, causing a denial-of-service condition by exhausting available system memory.

Reproduction

The vulnerability can be reproduced by sending a L2CAP configuration request for a channel already in the 'BT_CONNECTED' state. The request should include a maximum PDU size option that allows a zero value to be interpreted, which will cause the 'pdu_len' variable to become zero. This, in turn, creates an infinite loop in the 'l2cap_segment_sdu()' function, where the loop never terminates because the 'len' variable is not decremented, leading to a memory exhaustion condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.