aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGustavo F. Padovan <padovan@profusion.mobi>2010-05-01 15:15:37 -0400
committerMarcel Holtmann <marcel@holtmann.org>2010-05-10 03:28:47 -0400
commit36f2fd585f43199f006a3b5ff84e95815102cd31 (patch)
tree39f854d840c8c450a51d03c32f04ac771671ecbe
parent277ffbe362823d18a17792fbd8e507010e666299 (diff)
Bluetooth: Check if SDU size is greater than MTU on L2CAP
After reassembly the SDU we need to check his size. It can't overflow the MTU size. Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> Reviewed-by: João Paulo Rechi Vita <jprvita@profusion.mobi> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-rw-r--r--net/bluetooth/l2cap.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index ac00f5fac2d2..2e354d29f102 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -3277,15 +3277,19 @@ static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 co
3277 pi->conn_state &= ~L2CAP_CONN_SAR_SDU; 3277 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3278 pi->partial_sdu_len += skb->len; 3278 pi->partial_sdu_len += skb->len;
3279 3279
3280 if (pi->partial_sdu_len > pi->imtu)
3281 goto drop;
3282
3280 if (pi->partial_sdu_len == pi->sdu_len) { 3283 if (pi->partial_sdu_len == pi->sdu_len) {
3281 _skb = skb_clone(pi->sdu, GFP_ATOMIC); 3284 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3282 err = sock_queue_rcv_skb(sk, _skb); 3285 err = sock_queue_rcv_skb(sk, _skb);
3283 if (err < 0) 3286 if (err < 0)
3284 kfree_skb(_skb); 3287 kfree_skb(_skb);
3285 } 3288 }
3286 kfree_skb(pi->sdu);
3287 err = 0; 3289 err = 0;
3288 3290
3291drop:
3292 kfree_skb(pi->sdu);
3289 break; 3293 break;
3290 } 3294 }
3291 3295