diff options
author | Gustavo Padovan <gustavo@padovan.org> | 2012-05-15 12:22:55 -0400 |
---|---|---|
committer | Gustavo Padovan <gustavo.padovan@collabora.co.uk> | 2012-05-16 15:12:32 -0400 |
commit | fbe0070092c3968927c63ab56c00b47c6aa3770f (patch) | |
tree | 0f72c292cd711a6cc91403dea5da56c2f20c00d9 /net/bluetooth/l2cap_core.c | |
parent | 08e6d907fe606b751adddce54ad8f51e0950bc3f (diff) |
Bluetooth: Fix wrong set of skb fragments
If alloc() fails we let the frags linked list with garbage value (the
err ptr value) in its last element.
Reported-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Gustavo Padovan <gustavo@padovan.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Diffstat (limited to 'net/bluetooth/l2cap_core.c')
-rw-r--r-- | net/bluetooth/l2cap_core.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 3714c9656459..339f8344ee59 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c | |||
@@ -1836,13 +1836,17 @@ static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan, | |||
1836 | /* Continuation fragments (no L2CAP header) */ | 1836 | /* Continuation fragments (no L2CAP header) */ |
1837 | frag = &skb_shinfo(skb)->frag_list; | 1837 | frag = &skb_shinfo(skb)->frag_list; |
1838 | while (len) { | 1838 | while (len) { |
1839 | struct sk_buff *tmp; | ||
1840 | |||
1839 | count = min_t(unsigned int, conn->mtu, len); | 1841 | count = min_t(unsigned int, conn->mtu, len); |
1840 | 1842 | ||
1841 | *frag = chan->ops->alloc_skb(chan, count, | 1843 | tmp = chan->ops->alloc_skb(chan, count, |
1842 | msg->msg_flags & MSG_DONTWAIT); | 1844 | msg->msg_flags & MSG_DONTWAIT); |
1845 | if (IS_ERR(tmp)) | ||
1846 | return PTR_ERR(tmp); | ||
1847 | |||
1848 | *frag = tmp; | ||
1843 | 1849 | ||
1844 | if (IS_ERR(*frag)) | ||
1845 | return PTR_ERR(*frag); | ||
1846 | if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) | 1850 | if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) |
1847 | return -EFAULT; | 1851 | return -EFAULT; |
1848 | 1852 | ||