diff options
Diffstat (limited to 'net/bluetooth/l2cap_core.c')
| -rw-r--r-- | net/bluetooth/l2cap_core.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 54ceb1f2cc9a..d4cad29b033f 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c | |||
| @@ -32,6 +32,7 @@ | |||
| 32 | 32 | ||
| 33 | #include <linux/debugfs.h> | 33 | #include <linux/debugfs.h> |
| 34 | #include <linux/crc16.h> | 34 | #include <linux/crc16.h> |
| 35 | #include <linux/filter.h> | ||
| 35 | 36 | ||
| 36 | #include <net/bluetooth/bluetooth.h> | 37 | #include <net/bluetooth/bluetooth.h> |
| 37 | #include <net/bluetooth/hci_core.h> | 38 | #include <net/bluetooth/hci_core.h> |
| @@ -5835,6 +5836,9 @@ static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, | |||
| 5835 | if (chan->sdu) | 5836 | if (chan->sdu) |
| 5836 | break; | 5837 | break; |
| 5837 | 5838 | ||
| 5839 | if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE)) | ||
| 5840 | break; | ||
| 5841 | |||
| 5838 | chan->sdu_len = get_unaligned_le16(skb->data); | 5842 | chan->sdu_len = get_unaligned_le16(skb->data); |
| 5839 | skb_pull(skb, L2CAP_SDULEN_SIZE); | 5843 | skb_pull(skb, L2CAP_SDULEN_SIZE); |
| 5840 | 5844 | ||
| @@ -6610,6 +6614,10 @@ static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) | |||
| 6610 | goto drop; | 6614 | goto drop; |
| 6611 | } | 6615 | } |
| 6612 | 6616 | ||
| 6617 | if ((chan->mode == L2CAP_MODE_ERTM || | ||
| 6618 | chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb)) | ||
| 6619 | goto drop; | ||
| 6620 | |||
| 6613 | if (!control->sframe) { | 6621 | if (!control->sframe) { |
| 6614 | int err; | 6622 | int err; |
| 6615 | 6623 | ||