aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth/l2cap_core.c
diff options
context:
space:
mode:
authorGustavo Padovan <gustavo@padovan.org>2012-05-15 12:22:55 -0400
committerGustavo Padovan <gustavo.padovan@collabora.co.uk>2012-05-16 15:12:32 -0400
commitfbe0070092c3968927c63ab56c00b47c6aa3770f (patch)
tree0f72c292cd711a6cc91403dea5da56c2f20c00d9 /net/bluetooth/l2cap_core.c
parent08e6d907fe606b751adddce54ad8f51e0950bc3f (diff)
Bluetooth: Fix wrong set of skb fragments
If alloc() fails we let the frags linked list with garbage value (the err ptr value) in its last element. Reported-by: Mat Martineau <mathewm@codeaurora.org> Signed-off-by: Gustavo Padovan <gustavo@padovan.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Diffstat (limited to 'net/bluetooth/l2cap_core.c')
-rw-r--r--net/bluetooth/l2cap_core.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 3714c9656459..339f8344ee59 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1836,13 +1836,17 @@ static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1836 /* Continuation fragments (no L2CAP header) */ 1836 /* Continuation fragments (no L2CAP header) */
1837 frag = &skb_shinfo(skb)->frag_list; 1837 frag = &skb_shinfo(skb)->frag_list;
1838 while (len) { 1838 while (len) {
1839 struct sk_buff *tmp;
1840
1839 count = min_t(unsigned int, conn->mtu, len); 1841 count = min_t(unsigned int, conn->mtu, len);
1840 1842
1841 *frag = chan->ops->alloc_skb(chan, count, 1843 tmp = chan->ops->alloc_skb(chan, count,
1842 msg->msg_flags & MSG_DONTWAIT); 1844 msg->msg_flags & MSG_DONTWAIT);
1845 if (IS_ERR(tmp))
1846 return PTR_ERR(tmp);
1847
1848 *frag = tmp;
1843 1849
1844 if (IS_ERR(*frag))
1845 return PTR_ERR(*frag);
1846 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) 1850 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1847 return -EFAULT; 1851 return -EFAULT;
1848 1852