projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 277ffbe)
Bluetooth: Check if SDU size is greater than MTU on L2CAP
authorGustavo F. Padovan <[email protected]>
Sat, 1 May 2010 19:15:37 +0000 (16:15 -0300)
committerMarcel Holtmann <[email protected]>
Mon, 10 May 2010 07:28:47 +0000 (09:28 +0200)
After reassembly the SDU we need to check his size. It can't overflow
the MTU size.

Signed-off-by: Gustavo F. Padovan <[email protected]>
Reviewed-by: João Paulo Rechi Vita <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
net/bluetooth/l2cap.c patch | blob | history

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index ac00f5fac2d2649f1c773c03f9d94e51fdeae836..2e354d29f102f0ed55866fba461a6a69445e4838 100644 (file)
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -3277,15 +3277,19 @@ static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 co
                pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
                pi->partial_sdu_len += skb->len;
 
+               if (pi->partial_sdu_len > pi->imtu)
+                       goto drop;
+
                if (pi->partial_sdu_len == pi->sdu_len) {
                        _skb = skb_clone(pi->sdu, GFP_ATOMIC);
                        err = sock_queue_rcv_skb(sk, _skb);
                        if (err < 0)
                                kfree_skb(_skb);
                }
-               kfree_skb(pi->sdu);
                err = 0;
 
+drop:
+               kfree_skb(pi->sdu);
                break;
        }
 
John Crispins staging tree