aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarcel Holtmann <marcel@holtmann.org>2005-09-12 19:32:31 -0400
committerMarcel Holtmann <marcel@holtmann.org>2005-09-12 19:32:31 -0400
commit354d28d5f8546e115ebaae9311897f0bc4b6a8d4 (patch)
tree0eb7bd932d43047b592b80d42808f8cdc33286c8
parent21d9e30ed020d24336cc3bee2a4e04da232ed554 (diff)
[Bluetooth] Prevent RFCOMM connections through the RAW socket
This patch adds additional checks to prevent RFCOMM connections be established through the RAW socket interface. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-rw-r--r--net/bluetooth/rfcomm/sock.c30
1 files changed, 25 insertions, 5 deletions
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 90e19eb6d3cc..f49e7e938bfb 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -363,6 +363,11 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr
363 goto done; 363 goto done;
364 } 364 }
365 365
366 if (sk->sk_type != SOCK_STREAM) {
367 err = -EINVAL;
368 goto done;
369 }
370
366 write_lock_bh(&rfcomm_sk_list.lock); 371 write_lock_bh(&rfcomm_sk_list.lock);
367 372
368 if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) { 373 if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) {
@@ -393,13 +398,17 @@ static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int a
393 if (addr->sa_family != AF_BLUETOOTH || alen < sizeof(struct sockaddr_rc)) 398 if (addr->sa_family != AF_BLUETOOTH || alen < sizeof(struct sockaddr_rc))
394 return -EINVAL; 399 return -EINVAL;
395 400
396 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) 401 lock_sock(sk);
397 return -EBADFD;
398 402
399 if (sk->sk_type != SOCK_STREAM) 403 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
400 return -EINVAL; 404 err = -EBADFD;
405 goto done;
406 }
401 407
402 lock_sock(sk); 408 if (sk->sk_type != SOCK_STREAM) {
409 err = -EINVAL;
410 goto done;
411 }
403 412
404 sk->sk_state = BT_CONNECT; 413 sk->sk_state = BT_CONNECT;
405 bacpy(&bt_sk(sk)->dst, &sa->rc_bdaddr); 414 bacpy(&bt_sk(sk)->dst, &sa->rc_bdaddr);
@@ -410,6 +419,7 @@ static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int a
410 err = bt_sock_wait_state(sk, BT_CONNECTED, 419 err = bt_sock_wait_state(sk, BT_CONNECTED,
411 sock_sndtimeo(sk, flags & O_NONBLOCK)); 420 sock_sndtimeo(sk, flags & O_NONBLOCK));
412 421
422done:
413 release_sock(sk); 423 release_sock(sk);
414 return err; 424 return err;
415} 425}
@@ -428,6 +438,11 @@ static int rfcomm_sock_listen(struct socket *sock, int backlog)
428 goto done; 438 goto done;
429 } 439 }
430 440
441 if (sk->sk_type != SOCK_STREAM) {
442 err = -EINVAL;
443 goto done;
444 }
445
431 if (!rfcomm_pi(sk)->channel) { 446 if (!rfcomm_pi(sk)->channel) {
432 bdaddr_t *src = &bt_sk(sk)->src; 447 bdaddr_t *src = &bt_sk(sk)->src;
433 u8 channel; 448 u8 channel;
@@ -472,6 +487,11 @@ static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int f
472 goto done; 487 goto done;
473 } 488 }
474 489
490 if (sk->sk_type != SOCK_STREAM) {
491 err = -EINVAL;
492 goto done;
493 }
494
475 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); 495 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
476 496
477 BT_DBG("sk %p timeo %ld", sk, timeo); 497 BT_DBG("sk %p timeo %ld", sk, timeo);