Bluetooth: RFCOMM: Fix MTU calculation in rfcomm_connected

The MTU calculation in rfcomm_connected() was incorrectly adding the FCS
size instead of subtracting it.
This could lead to buffer overflows when sending data that exceeds
the actual available space.

Fix the calculation by properly subtracting both the RFCOMM header size and
the FCS size from the L2CAP MTU to get the correct RFCOMM session MTU.

Signed-off-by: Jiawei Yang <jiawei.yang_1@nxp.com>

Author: jerryyang35

subsys/bluetooth/host/classic/rfcomm.c

@@ -430,7 +430,7 @@ static void rfcomm_connected(struct bt_l2cap_chan *chan)
 	/* Need to include UIH header and FCS*/
 	session->mtu = MIN(session->br_chan.rx.mtu,
 			   session->br_chan.tx.mtu) -
-			   BT_RFCOMM_HDR_SIZE + BT_RFCOMM_FCS_SIZE;
+			   BT_RFCOMM_HDR_SIZE - BT_RFCOMM_FCS_SIZE;
 
 	if (session->state == BT_RFCOMM_STATE_CONNECTING) {
 		rfcomm_send_sabm(session, 0);