aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarcel Holtmann <marcel@holtmann.org>2007-01-07 20:16:31 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2007-01-09 03:29:55 -0500
commit4d6a2188bd456969f52c03edf1988de90f08d9f5 (patch)
treeccbae1cf287db409d62c4178d417337ed4b409d1
parentb6e557fbf1dbba8cfa667a25503e5dbd0e9330b7 (diff)
[Bluetooth] Fix uninitialized return value for RFCOMM sendmsg()
When calling send() with a zero length parameter on a RFCOMM socket it returns a positive value. In this rare case the variable err is used uninitialized and unfortunately its value is returned. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-rw-r--r--net/bluetooth/rfcomm/sock.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 544d65b7baa7..cb7e855f0828 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -557,7 +557,6 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
557 struct sock *sk = sock->sk; 557 struct sock *sk = sock->sk;
558 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 558 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
559 struct sk_buff *skb; 559 struct sk_buff *skb;
560 int err;
561 int sent = 0; 560 int sent = 0;
562 561
563 if (msg->msg_flags & MSG_OOB) 562 if (msg->msg_flags & MSG_OOB)
@@ -572,6 +571,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
572 571
573 while (len) { 572 while (len) {
574 size_t size = min_t(size_t, len, d->mtu); 573 size_t size = min_t(size_t, len, d->mtu);
574 int err;
575 575
576 skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE, 576 skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
577 msg->msg_flags & MSG_DONTWAIT, &err); 577 msg->msg_flags & MSG_DONTWAIT, &err);
@@ -582,13 +582,16 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
582 err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size); 582 err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
583 if (err) { 583 if (err) {
584 kfree_skb(skb); 584 kfree_skb(skb);
585 sent = err; 585 if (sent == 0)
586 sent = err;
586 break; 587 break;
587 } 588 }
588 589
589 err = rfcomm_dlc_send(d, skb); 590 err = rfcomm_dlc_send(d, skb);
590 if (err < 0) { 591 if (err < 0) {
591 kfree_skb(skb); 592 kfree_skb(skb);
593 if (sent == 0)
594 sent = err;
592 break; 595 break;
593 } 596 }
594 597
@@ -598,7 +601,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
598 601
599 release_sock(sk); 602 release_sock(sk);
600 603
601 return sent ? sent : err; 604 return sent;
602} 605}
603 606
604static long rfcomm_sock_data_wait(struct sock *sk, long timeo) 607static long rfcomm_sock_data_wait(struct sock *sk, long timeo)