In the functions l2cap_parse_conf_rsp, l2cap_parse_conf_req (l2cap_core.c), and other locations, there is a while loop which is used to parse configuration elements during an L2cap connection negotiation process. In this function, the processing of data is performed in the while loop before the check if all the data processed is inside the buffer. In addition, if data outside of the buffer is processed, the function will not return an error. Therefore, data that is out of bands can be processed, and in some cases returned to the attacker.
In the functions l2cap_parse_conf_rsp, l2cap_parse_conf_req (l2cap_core.c), and other locations, there is a while loop which is used to parse configuration elements during an L2cap connection negotiation process. In this function, the processing of data is performed in the while loop before the check if all the data processed is inside the buffer. In addition, if data outside of the buffer is processed, the function will not return an error. Therefore, data that is out of bands can be processed, and in some cases returned to the attacker.
https://lore.kernel.org/linux-bluetooth/20190110062917.GB15047@kroah.com/
Vulmon