diff options
| author | Marcel Holtmann <marcel@holtmann.org> | 2015-04-01 16:51:52 -0400 |
|---|---|---|
| committer | Johan Hedberg <johan.hedberg@intel.com> | 2015-04-02 01:42:21 -0400 |
| commit | 8bf17a3619250944957c732e71659787528131c3 (patch) | |
| tree | 947aa3ed5b5975067446f1cc5f9b3f30de79e889 | |
| parent | 41533fe5b4f92adb3c40f263b889dc6addff550e (diff) | |
Bluetooth: Restrict CMTP flags to only valid ones
The CMTP flags should be clearly restricted to valid ones. So this puts
extra checks in place to ensure this.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
| -rw-r--r-- | net/bluetooth/cmtp/core.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c index 278a194e6af4..ddbc348c9dff 100644 --- a/net/bluetooth/cmtp/core.c +++ b/net/bluetooth/cmtp/core.c | |||
| @@ -75,10 +75,11 @@ static void __cmtp_unlink_session(struct cmtp_session *session) | |||
| 75 | 75 | ||
| 76 | static void __cmtp_copy_session(struct cmtp_session *session, struct cmtp_conninfo *ci) | 76 | static void __cmtp_copy_session(struct cmtp_session *session, struct cmtp_conninfo *ci) |
| 77 | { | 77 | { |
| 78 | u32 valid_flags = BIT(CMTP_LOOPBACK); | ||
| 78 | memset(ci, 0, sizeof(*ci)); | 79 | memset(ci, 0, sizeof(*ci)); |
| 79 | bacpy(&ci->bdaddr, &session->bdaddr); | 80 | bacpy(&ci->bdaddr, &session->bdaddr); |
| 80 | 81 | ||
| 81 | ci->flags = session->flags; | 82 | ci->flags = session->flags & valid_flags; |
| 82 | ci->state = session->state; | 83 | ci->state = session->state; |
| 83 | 84 | ||
| 84 | ci->num = session->num; | 85 | ci->num = session->num; |
| @@ -329,6 +330,7 @@ static int cmtp_session(void *arg) | |||
| 329 | 330 | ||
| 330 | int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock) | 331 | int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock) |
| 331 | { | 332 | { |
| 333 | u32 valid_flags = BIT(CMTP_LOOPBACK); | ||
| 332 | struct cmtp_session *session, *s; | 334 | struct cmtp_session *session, *s; |
| 333 | int i, err; | 335 | int i, err; |
| 334 | 336 | ||
| @@ -337,6 +339,9 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock) | |||
| 337 | if (!l2cap_is_socket(sock)) | 339 | if (!l2cap_is_socket(sock)) |
| 338 | return -EBADFD; | 340 | return -EBADFD; |
| 339 | 341 | ||
| 342 | if (req->flags & ~valid_flags) | ||
| 343 | return -EINVAL; | ||
| 344 | |||
| 340 | session = kzalloc(sizeof(struct cmtp_session), GFP_KERNEL); | 345 | session = kzalloc(sizeof(struct cmtp_session), GFP_KERNEL); |
| 341 | if (!session) | 346 | if (!session) |
| 342 | return -ENOMEM; | 347 | return -ENOMEM; |
| @@ -409,11 +414,15 @@ failed: | |||
| 409 | 414 | ||
| 410 | int cmtp_del_connection(struct cmtp_conndel_req *req) | 415 | int cmtp_del_connection(struct cmtp_conndel_req *req) |
| 411 | { | 416 | { |
| 417 | u32 valid_flags = 0; | ||
| 412 | struct cmtp_session *session; | 418 | struct cmtp_session *session; |
| 413 | int err = 0; | 419 | int err = 0; |
| 414 | 420 | ||
| 415 | BT_DBG(""); | 421 | BT_DBG(""); |
| 416 | 422 | ||
| 423 | if (req->flags & ~valid_flags) | ||
| 424 | return -EINVAL; | ||
| 425 | |||
| 417 | down_read(&cmtp_session_sem); | 426 | down_read(&cmtp_session_sem); |
| 418 | 427 | ||
| 419 | session = __cmtp_get_session(&req->bdaddr); | 428 | session = __cmtp_get_session(&req->bdaddr); |