diff options
author | Marcel Holtmann <marcel@holtmann.org> | 2005-09-12 19:32:31 -0400 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2005-09-12 19:32:31 -0400 |
commit | 354d28d5f8546e115ebaae9311897f0bc4b6a8d4 (patch) | |
tree | 0eb7bd932d43047b592b80d42808f8cdc33286c8 | |
parent | 21d9e30ed020d24336cc3bee2a4e04da232ed554 (diff) |
[Bluetooth] Prevent RFCOMM connections through the RAW socket
This patch adds additional checks to prevent RFCOMM connections be
established through the RAW socket interface.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-rw-r--r-- | net/bluetooth/rfcomm/sock.c | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index 90e19eb6d3cc..f49e7e938bfb 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c | |||
@@ -363,6 +363,11 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr | |||
363 | goto done; | 363 | goto done; |
364 | } | 364 | } |
365 | 365 | ||
366 | if (sk->sk_type != SOCK_STREAM) { | ||
367 | err = -EINVAL; | ||
368 | goto done; | ||
369 | } | ||
370 | |||
366 | write_lock_bh(&rfcomm_sk_list.lock); | 371 | write_lock_bh(&rfcomm_sk_list.lock); |
367 | 372 | ||
368 | if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) { | 373 | if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) { |
@@ -393,13 +398,17 @@ static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int a | |||
393 | if (addr->sa_family != AF_BLUETOOTH || alen < sizeof(struct sockaddr_rc)) | 398 | if (addr->sa_family != AF_BLUETOOTH || alen < sizeof(struct sockaddr_rc)) |
394 | return -EINVAL; | 399 | return -EINVAL; |
395 | 400 | ||
396 | if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) | 401 | lock_sock(sk); |
397 | return -EBADFD; | ||
398 | 402 | ||
399 | if (sk->sk_type != SOCK_STREAM) | 403 | if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) { |
400 | return -EINVAL; | 404 | err = -EBADFD; |
405 | goto done; | ||
406 | } | ||
401 | 407 | ||
402 | lock_sock(sk); | 408 | if (sk->sk_type != SOCK_STREAM) { |
409 | err = -EINVAL; | ||
410 | goto done; | ||
411 | } | ||
403 | 412 | ||
404 | sk->sk_state = BT_CONNECT; | 413 | sk->sk_state = BT_CONNECT; |
405 | bacpy(&bt_sk(sk)->dst, &sa->rc_bdaddr); | 414 | bacpy(&bt_sk(sk)->dst, &sa->rc_bdaddr); |
@@ -410,6 +419,7 @@ static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int a | |||
410 | err = bt_sock_wait_state(sk, BT_CONNECTED, | 419 | err = bt_sock_wait_state(sk, BT_CONNECTED, |
411 | sock_sndtimeo(sk, flags & O_NONBLOCK)); | 420 | sock_sndtimeo(sk, flags & O_NONBLOCK)); |
412 | 421 | ||
422 | done: | ||
413 | release_sock(sk); | 423 | release_sock(sk); |
414 | return err; | 424 | return err; |
415 | } | 425 | } |
@@ -428,6 +438,11 @@ static int rfcomm_sock_listen(struct socket *sock, int backlog) | |||
428 | goto done; | 438 | goto done; |
429 | } | 439 | } |
430 | 440 | ||
441 | if (sk->sk_type != SOCK_STREAM) { | ||
442 | err = -EINVAL; | ||
443 | goto done; | ||
444 | } | ||
445 | |||
431 | if (!rfcomm_pi(sk)->channel) { | 446 | if (!rfcomm_pi(sk)->channel) { |
432 | bdaddr_t *src = &bt_sk(sk)->src; | 447 | bdaddr_t *src = &bt_sk(sk)->src; |
433 | u8 channel; | 448 | u8 channel; |
@@ -472,6 +487,11 @@ static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int f | |||
472 | goto done; | 487 | goto done; |
473 | } | 488 | } |
474 | 489 | ||
490 | if (sk->sk_type != SOCK_STREAM) { | ||
491 | err = -EINVAL; | ||
492 | goto done; | ||
493 | } | ||
494 | |||
475 | timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); | 495 | timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); |
476 | 496 | ||
477 | BT_DBG("sk %p timeo %ld", sk, timeo); | 497 | BT_DBG("sk %p timeo %ld", sk, timeo); |