From 80a6b91d758ac94d6b6d40250d68f06cd4a06097 Mon Sep 17 00:00:00 2001
From: Ismagil Iskakov <i.iskakov@omp.ru>
Date: Wed, 9 Jul 2025 16:36:19 +0300
Subject: [PATCH] btio: fix range validation of security level

Arrays inside l2cap_set_lm/rfcomm_set_lm functions are of size 4,
but the bounds check allows the value 4 for 'level'.
---
 btio/btio.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/btio/btio.c b/btio/btio.c
index b8afe0580..bc14199f2 100644
--- a/btio/btio.c
+++ b/btio/btio.c
@@ -474,6 +474,12 @@ static gboolean set_sec_level(int sock, BtIOType type, int level, GError **err)
 		return FALSE;
 	}
 
+	if (level == BT_SECURITY_FIPS) {
+		g_set_error(err, BT_IO_ERROR, EINVAL,
+				"FIPS security level is not supported for L2CAP_LM/RFCOMM_LM");
+		return FALSE;
+	}
+
 	if (type == BT_IO_L2CAP)
 		ret = l2cap_set_lm(sock, level);
 	else
-- 
2.47.3