1 files changed, 4 insertions, 4 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index b89762134e4e..4af8fc0d512c 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -4092,9 +4092,9 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
 {
        struct sock *sk;
        struct l2cap_pinfo *pi;
-        u16 control, len;
+        u16 control;
        u8 tx_seq, req_seq;
-        int next_tx_seq_offset, req_seq_offset;
+        int len, next_tx_seq_offset, req_seq_offset;
        sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
        if (!sk) {
@@ -4164,7 +4164,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
                }
                if (__is_iframe(control)) {
-                        if (len < 4) {
+                        if (len < 0) {
                                l2cap_send_disconn_req(pi->conn, sk);
                                goto drop;
                        }
@@ -4192,7 +4192,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
                if (pi->fcs == L2CAP_FCS_CRC16)
                        len -= 2;
-                if (len > pi->mps || len < 4 || __is_sframe(control))
+                if (len > pi->mps || len < 0 || __is_sframe(control))
                        goto drop;
                if (l2cap_check_fcs(pi, skb))

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index b89762134e4e..4af8fc0d512c 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c
@@ -4092,9 +4092,9 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
4092	{	4092	{
4093	struct sock *sk;	4093	struct sock *sk;
4094	struct l2cap_pinfo *pi;	4094	struct l2cap_pinfo *pi;
4095	u16 control, len;	4095	u16 control;
4096	u8 tx_seq, req_seq;	4096	u8 tx_seq, req_seq;
4097	int next_tx_seq_offset, req_seq_offset;	4097	int len, next_tx_seq_offset, req_seq_offset;
4098		4098
4099	sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);	4099	sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
4100	if (!sk) {	4100	if (!sk) {
@@ -4164,7 +4164,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
4164	}	4164	}
4165		4165
4166	if (__is_iframe(control)) {	4166	if (__is_iframe(control)) {
4167	if (len < 4) {	4167	if (len < 0) {
4168	l2cap_send_disconn_req(pi->conn, sk);	4168	l2cap_send_disconn_req(pi->conn, sk);
4169	goto drop;	4169	goto drop;
4170	}	4170	}
@@ -4192,7 +4192,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
4192	if (pi->fcs == L2CAP_FCS_CRC16)	4192	if (pi->fcs == L2CAP_FCS_CRC16)
4193	len -= 2;	4193	len -= 2;
4194		4194
4195	if (len > pi->mps \|\| len < 4 \|\| __is_sframe(control))	4195	if (len > pi->mps \|\| len < 0 \|\| __is_sframe(control))
4196	goto drop;	4196	goto drop;
4197		4197
4198	if (l2cap_check_fcs(pi, skb))	4198	if (l2cap_check_fcs(pi, skb))