diff options
Diffstat (limited to 'net/bluetooth/l2cap_core.c')
| -rw-r--r-- | net/bluetooth/l2cap_core.c | 70 |
1 files changed, 52 insertions, 18 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index a76d1ac0321b..24bee07ee4ce 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c | |||
| @@ -3677,10 +3677,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) | |||
| 3677 | } | 3677 | } |
| 3678 | 3678 | ||
| 3679 | static inline int l2cap_command_rej(struct l2cap_conn *conn, | 3679 | static inline int l2cap_command_rej(struct l2cap_conn *conn, |
| 3680 | struct l2cap_cmd_hdr *cmd, u8 *data) | 3680 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, |
| 3681 | u8 *data) | ||
| 3681 | { | 3682 | { |
| 3682 | struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; | 3683 | struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; |
| 3683 | 3684 | ||
| 3685 | if (cmd_len < sizeof(*rej)) | ||
| 3686 | return -EPROTO; | ||
| 3687 | |||
| 3684 | if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD) | 3688 | if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD) |
| 3685 | return 0; | 3689 | return 0; |
| 3686 | 3690 | ||
| @@ -3829,11 +3833,14 @@ sendresp: | |||
| 3829 | } | 3833 | } |
| 3830 | 3834 | ||
| 3831 | static int l2cap_connect_req(struct l2cap_conn *conn, | 3835 | static int l2cap_connect_req(struct l2cap_conn *conn, |
| 3832 | struct l2cap_cmd_hdr *cmd, u8 *data) | 3836 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) |
| 3833 | { | 3837 | { |
| 3834 | struct hci_dev *hdev = conn->hcon->hdev; | 3838 | struct hci_dev *hdev = conn->hcon->hdev; |
| 3835 | struct hci_conn *hcon = conn->hcon; | 3839 | struct hci_conn *hcon = conn->hcon; |
| 3836 | 3840 | ||
| 3841 | if (cmd_len < sizeof(struct l2cap_conn_req)) | ||
| 3842 | return -EPROTO; | ||
| 3843 | |||
| 3837 | hci_dev_lock(hdev); | 3844 | hci_dev_lock(hdev); |
| 3838 | if (test_bit(HCI_MGMT, &hdev->dev_flags) && | 3845 | if (test_bit(HCI_MGMT, &hdev->dev_flags) && |
| 3839 | !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags)) | 3846 | !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags)) |
| @@ -3847,7 +3854,8 @@ static int l2cap_connect_req(struct l2cap_conn *conn, | |||
| 3847 | } | 3854 | } |
| 3848 | 3855 | ||
| 3849 | static int l2cap_connect_create_rsp(struct l2cap_conn *conn, | 3856 | static int l2cap_connect_create_rsp(struct l2cap_conn *conn, |
| 3850 | struct l2cap_cmd_hdr *cmd, u8 *data) | 3857 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, |
| 3858 | u8 *data) | ||
| 3851 | { | 3859 | { |
| 3852 | struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; | 3860 | struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; |
| 3853 | u16 scid, dcid, result, status; | 3861 | u16 scid, dcid, result, status; |
| @@ -3855,6 +3863,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, | |||
| 3855 | u8 req[128]; | 3863 | u8 req[128]; |
| 3856 | int err; | 3864 | int err; |
| 3857 | 3865 | ||
| 3866 | if (cmd_len < sizeof(*rsp)) | ||
| 3867 | return -EPROTO; | ||
| 3868 | |||
| 3858 | scid = __le16_to_cpu(rsp->scid); | 3869 | scid = __le16_to_cpu(rsp->scid); |
| 3859 | dcid = __le16_to_cpu(rsp->dcid); | 3870 | dcid = __le16_to_cpu(rsp->dcid); |
| 3860 | result = __le16_to_cpu(rsp->result); | 3871 | result = __le16_to_cpu(rsp->result); |
| @@ -3952,6 +3963,9 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, | |||
| 3952 | struct l2cap_chan *chan; | 3963 | struct l2cap_chan *chan; |
| 3953 | int len, err = 0; | 3964 | int len, err = 0; |
| 3954 | 3965 | ||
| 3966 | if (cmd_len < sizeof(*req)) | ||
| 3967 | return -EPROTO; | ||
| 3968 | |||
| 3955 | dcid = __le16_to_cpu(req->dcid); | 3969 | dcid = __le16_to_cpu(req->dcid); |
| 3956 | flags = __le16_to_cpu(req->flags); | 3970 | flags = __le16_to_cpu(req->flags); |
| 3957 | 3971 | ||
| @@ -3975,7 +3989,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, | |||
| 3975 | 3989 | ||
| 3976 | /* Reject if config buffer is too small. */ | 3990 | /* Reject if config buffer is too small. */ |
| 3977 | len = cmd_len - sizeof(*req); | 3991 | len = cmd_len - sizeof(*req); |
| 3978 | if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) { | 3992 | if (chan->conf_len + len > sizeof(chan->conf_req)) { |
| 3979 | l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, | 3993 | l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, |
| 3980 | l2cap_build_conf_rsp(chan, rsp, | 3994 | l2cap_build_conf_rsp(chan, rsp, |
| 3981 | L2CAP_CONF_REJECT, flags), rsp); | 3995 | L2CAP_CONF_REJECT, flags), rsp); |
| @@ -4053,14 +4067,18 @@ unlock: | |||
| 4053 | } | 4067 | } |
| 4054 | 4068 | ||
| 4055 | static inline int l2cap_config_rsp(struct l2cap_conn *conn, | 4069 | static inline int l2cap_config_rsp(struct l2cap_conn *conn, |
| 4056 | struct l2cap_cmd_hdr *cmd, u8 *data) | 4070 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, |
| 4071 | u8 *data) | ||
| 4057 | { | 4072 | { |
| 4058 | struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; | 4073 | struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; |
| 4059 | u16 scid, flags, result; | 4074 | u16 scid, flags, result; |
| 4060 | struct l2cap_chan *chan; | 4075 | struct l2cap_chan *chan; |
| 4061 | int len = le16_to_cpu(cmd->len) - sizeof(*rsp); | 4076 | int len = cmd_len - sizeof(*rsp); |
| 4062 | int err = 0; | 4077 | int err = 0; |
| 4063 | 4078 | ||
| 4079 | if (cmd_len < sizeof(*rsp)) | ||
| 4080 | return -EPROTO; | ||
| 4081 | |||
| 4064 | scid = __le16_to_cpu(rsp->scid); | 4082 | scid = __le16_to_cpu(rsp->scid); |
| 4065 | flags = __le16_to_cpu(rsp->flags); | 4083 | flags = __le16_to_cpu(rsp->flags); |
| 4066 | result = __le16_to_cpu(rsp->result); | 4084 | result = __le16_to_cpu(rsp->result); |
| @@ -4161,7 +4179,8 @@ done: | |||
| 4161 | } | 4179 | } |
| 4162 | 4180 | ||
| 4163 | static inline int l2cap_disconnect_req(struct l2cap_conn *conn, | 4181 | static inline int l2cap_disconnect_req(struct l2cap_conn *conn, |
| 4164 | struct l2cap_cmd_hdr *cmd, u8 *data) | 4182 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, |
| 4183 | u8 *data) | ||
| 4165 | { | 4184 | { |
| 4166 | struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; | 4185 | struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; |
| 4167 | struct l2cap_disconn_rsp rsp; | 4186 | struct l2cap_disconn_rsp rsp; |
| @@ -4169,6 +4188,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, | |||
| 4169 | struct l2cap_chan *chan; | 4188 | struct l2cap_chan *chan; |
| 4170 | struct sock *sk; | 4189 | struct sock *sk; |
| 4171 | 4190 | ||
| 4191 | if (cmd_len != sizeof(*req)) | ||
| 4192 | return -EPROTO; | ||
| 4193 | |||
| 4172 | scid = __le16_to_cpu(req->scid); | 4194 | scid = __le16_to_cpu(req->scid); |
| 4173 | dcid = __le16_to_cpu(req->dcid); | 4195 | dcid = __le16_to_cpu(req->dcid); |
| 4174 | 4196 | ||
| @@ -4208,12 +4230,16 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, | |||
| 4208 | } | 4230 | } |
| 4209 | 4231 | ||
| 4210 | static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, | 4232 | static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, |
| 4211 | struct l2cap_cmd_hdr *cmd, u8 *data) | 4233 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, |
| 4234 | u8 *data) | ||
| 4212 | { | 4235 | { |
| 4213 | struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; | 4236 | struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; |
| 4214 | u16 dcid, scid; | 4237 | u16 dcid, scid; |
| 4215 | struct l2cap_chan *chan; | 4238 | struct l2cap_chan *chan; |
| 4216 | 4239 | ||
| 4240 | if (cmd_len != sizeof(*rsp)) | ||
| 4241 | return -EPROTO; | ||
| 4242 | |||
| 4217 | scid = __le16_to_cpu(rsp->scid); | 4243 | scid = __le16_to_cpu(rsp->scid); |
| 4218 | dcid = __le16_to_cpu(rsp->dcid); | 4244 | dcid = __le16_to_cpu(rsp->dcid); |
| 4219 | 4245 | ||
| @@ -4243,11 +4269,15 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, | |||
| 4243 | } | 4269 | } |
| 4244 | 4270 | ||
| 4245 | static inline int l2cap_information_req(struct l2cap_conn *conn, | 4271 | static inline int l2cap_information_req(struct l2cap_conn *conn, |
| 4246 | struct l2cap_cmd_hdr *cmd, u8 *data) | 4272 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, |
| 4273 | u8 *data) | ||
| 4247 | { | 4274 | { |
| 4248 | struct l2cap_info_req *req = (struct l2cap_info_req *) data; | 4275 | struct l2cap_info_req *req = (struct l2cap_info_req *) data; |
| 4249 | u16 type; | 4276 | u16 type; |
| 4250 | 4277 | ||
| 4278 | if (cmd_len != sizeof(*req)) | ||
| 4279 | return -EPROTO; | ||
| 4280 | |||
| 4251 | type = __le16_to_cpu(req->type); | 4281 | type = __le16_to_cpu(req->type); |
| 4252 | 4282 | ||
| 4253 | BT_DBG("type 0x%4.4x", type); | 4283 | BT_DBG("type 0x%4.4x", type); |
| @@ -4294,11 +4324,15 @@ static inline int l2cap_information_req(struct l2cap_conn *conn, | |||
| 4294 | } | 4324 | } |
| 4295 | 4325 | ||
| 4296 | static inline int l2cap_information_rsp(struct l2cap_conn *conn, | 4326 | static inline int l2cap_information_rsp(struct l2cap_conn *conn, |
| 4297 | struct l2cap_cmd_hdr *cmd, u8 *data) | 4327 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, |
| 4328 | u8 *data) | ||
| 4298 | { | 4329 | { |
| 4299 | struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; | 4330 | struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; |
| 4300 | u16 type, result; | 4331 | u16 type, result; |
| 4301 | 4332 | ||
| 4333 | if (cmd_len != sizeof(*rsp)) | ||
| 4334 | return -EPROTO; | ||
| 4335 | |||
| 4302 | type = __le16_to_cpu(rsp->type); | 4336 | type = __le16_to_cpu(rsp->type); |
| 4303 | result = __le16_to_cpu(rsp->result); | 4337 | result = __le16_to_cpu(rsp->result); |
| 4304 | 4338 | ||
| @@ -5164,16 +5198,16 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, | |||
| 5164 | 5198 | ||
| 5165 | switch (cmd->code) { | 5199 | switch (cmd->code) { |
| 5166 | case L2CAP_COMMAND_REJ: | 5200 | case L2CAP_COMMAND_REJ: |
| 5167 | l2cap_command_rej(conn, cmd, data); | 5201 | l2cap_command_rej(conn, cmd, cmd_len, data); |
| 5168 | break; | 5202 | break; |
| 5169 | 5203 | ||
| 5170 | case L2CAP_CONN_REQ: | 5204 | case L2CAP_CONN_REQ: |
| 5171 | err = l2cap_connect_req(conn, cmd, data); | 5205 | err = l2cap_connect_req(conn, cmd, cmd_len, data); |
| 5172 | break; | 5206 | break; |
| 5173 | 5207 | ||
| 5174 | case L2CAP_CONN_RSP: | 5208 | case L2CAP_CONN_RSP: |
| 5175 | case L2CAP_CREATE_CHAN_RSP: | 5209 | case L2CAP_CREATE_CHAN_RSP: |
| 5176 | err = l2cap_connect_create_rsp(conn, cmd, data); | 5210 | err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data); |
| 5177 | break; | 5211 | break; |
| 5178 | 5212 | ||
| 5179 | case L2CAP_CONF_REQ: | 5213 | case L2CAP_CONF_REQ: |
| @@ -5181,15 +5215,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, | |||
| 5181 | break; | 5215 | break; |
| 5182 | 5216 | ||
| 5183 | case L2CAP_CONF_RSP: | 5217 | case L2CAP_CONF_RSP: |
| 5184 | err = l2cap_config_rsp(conn, cmd, data); | 5218 | err = l2cap_config_rsp(conn, cmd, cmd_len, data); |
| 5185 | break; | 5219 | break; |
| 5186 | 5220 | ||
| 5187 | case L2CAP_DISCONN_REQ: | 5221 | case L2CAP_DISCONN_REQ: |
| 5188 | err = l2cap_disconnect_req(conn, cmd, data); | 5222 | err = l2cap_disconnect_req(conn, cmd, cmd_len, data); |
| 5189 | break; | 5223 | break; |
| 5190 | 5224 | ||
| 5191 | case L2CAP_DISCONN_RSP: | 5225 | case L2CAP_DISCONN_RSP: |
| 5192 | err = l2cap_disconnect_rsp(conn, cmd, data); | 5226 | err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data); |
| 5193 | break; | 5227 | break; |
| 5194 | 5228 | ||
| 5195 | case L2CAP_ECHO_REQ: | 5229 | case L2CAP_ECHO_REQ: |
| @@ -5200,11 +5234,11 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, | |||
| 5200 | break; | 5234 | break; |
| 5201 | 5235 | ||
| 5202 | case L2CAP_INFO_REQ: | 5236 | case L2CAP_INFO_REQ: |
| 5203 | err = l2cap_information_req(conn, cmd, data); | 5237 | err = l2cap_information_req(conn, cmd, cmd_len, data); |
| 5204 | break; | 5238 | break; |
| 5205 | 5239 | ||
| 5206 | case L2CAP_INFO_RSP: | 5240 | case L2CAP_INFO_RSP: |
| 5207 | err = l2cap_information_rsp(conn, cmd, data); | 5241 | err = l2cap_information_rsp(conn, cmd, cmd_len, data); |
| 5208 | break; | 5242 | break; |
| 5209 | 5243 | ||
| 5210 | case L2CAP_CREATE_CHAN_REQ: | 5244 | case L2CAP_CREATE_CHAN_REQ: |