diff options
author | Marcel Holtmann <marcel@holtmann.org> | 2007-01-07 20:16:31 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-01-09 03:29:55 -0500 |
commit | 4d6a2188bd456969f52c03edf1988de90f08d9f5 (patch) | |
tree | ccbae1cf287db409d62c4178d417337ed4b409d1 | |
parent | b6e557fbf1dbba8cfa667a25503e5dbd0e9330b7 (diff) |
[Bluetooth] Fix uninitialized return value for RFCOMM sendmsg()
When calling send() with a zero length parameter on a RFCOMM socket
it returns a positive value. In this rare case the variable err is
used uninitialized and unfortunately its value is returned.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-rw-r--r-- | net/bluetooth/rfcomm/sock.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index 544d65b7baa7..cb7e855f0828 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c | |||
@@ -557,7 +557,6 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
557 | struct sock *sk = sock->sk; | 557 | struct sock *sk = sock->sk; |
558 | struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; | 558 | struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; |
559 | struct sk_buff *skb; | 559 | struct sk_buff *skb; |
560 | int err; | ||
561 | int sent = 0; | 560 | int sent = 0; |
562 | 561 | ||
563 | if (msg->msg_flags & MSG_OOB) | 562 | if (msg->msg_flags & MSG_OOB) |
@@ -572,6 +571,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
572 | 571 | ||
573 | while (len) { | 572 | while (len) { |
574 | size_t size = min_t(size_t, len, d->mtu); | 573 | size_t size = min_t(size_t, len, d->mtu); |
574 | int err; | ||
575 | 575 | ||
576 | skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE, | 576 | skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE, |
577 | msg->msg_flags & MSG_DONTWAIT, &err); | 577 | msg->msg_flags & MSG_DONTWAIT, &err); |
@@ -582,13 +582,16 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
582 | err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size); | 582 | err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size); |
583 | if (err) { | 583 | if (err) { |
584 | kfree_skb(skb); | 584 | kfree_skb(skb); |
585 | sent = err; | 585 | if (sent == 0) |
586 | sent = err; | ||
586 | break; | 587 | break; |
587 | } | 588 | } |
588 | 589 | ||
589 | err = rfcomm_dlc_send(d, skb); | 590 | err = rfcomm_dlc_send(d, skb); |
590 | if (err < 0) { | 591 | if (err < 0) { |
591 | kfree_skb(skb); | 592 | kfree_skb(skb); |
593 | if (sent == 0) | ||
594 | sent = err; | ||
592 | break; | 595 | break; |
593 | } | 596 | } |
594 | 597 | ||
@@ -598,7 +601,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
598 | 601 | ||
599 | release_sock(sk); | 602 | release_sock(sk); |
600 | 603 | ||
601 | return sent ? sent : err; | 604 | return sent; |
602 | } | 605 | } |
603 | 606 | ||
604 | static long rfcomm_sock_data_wait(struct sock *sk, long timeo) | 607 | static long rfcomm_sock_data_wait(struct sock *sk, long timeo) |