lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Bluetooth: Check if SDU size is greater than MTU on L2CAP

Browse Source 
After reassembly the SDU we need to check his size. It can't overflow
the MTU size.

Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Reviewed-by: João Paulo Rechi Vita <jprvita@profusion.mobi>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This commit is contained in:
Gustavo F. Padovan
2010-05-01 16:15:37 -03:00
committed by Marcel Holtmann
parent 277ffbe362
commit 36f2fd585f
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
net/bluetooth/l2cap.c
View File

@@ -3277,15 +3277,19 @@ static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 co
pi->conn_state &= ~L2CAP_CONN_SAR_SDU; pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
pi->partial_sdu_len += skb->len; pi->partial_sdu_len += skb->len;
if (pi->partial_sdu_len > pi->imtu)
goto drop;
if (pi->partial_sdu_len == pi->sdu_len) { if (pi->partial_sdu_len == pi->sdu_len) {
_skb = skb_clone(pi->sdu, GFP_ATOMIC); _skb = skb_clone(pi->sdu, GFP_ATOMIC);
err = sock_queue_rcv_skb(sk, _skb); err = sock_queue_rcv_skb(sk, _skb);
if (err < 0) if (err < 0)
kfree_skb(_skb); kfree_skb(_skb);
} }
kfree_skb(pi->sdu);
err = 0; err = 0;
drop:
kfree_skb(pi->sdu);
break; break;
} }