diff options
author | Gustavo F. Padovan <padovan@profusion.mobi> | 2010-05-01 15:15:40 -0400 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2010-05-10 03:28:49 -0400 |
commit | 052897ca5019d9157ae09e5e84eee2a9ef5dccc6 (patch) | |
tree | e236a9c5b6559f31c69c9b5e6fa02dbd70294ad6 /net/bluetooth/l2cap.c | |
parent | 10467e9e9b89272b25b56688bb276d0830e9ab9a (diff) |
Bluetooth: Check the SDU size against the MTU value
If the SDU size is greater than the MTU something is wrong, so report
an error.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
[jprvita@profusion.mobi: set err to appropriate errno value]
Signed-off-by: João Paulo Rechi Vita <jprvita@profusion.mobi>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth/l2cap.c')
-rw-r--r-- | net/bluetooth/l2cap.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 0889949b6896..e936913c921e 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c | |||
@@ -3338,6 +3338,11 @@ static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 co | |||
3338 | pi->sdu_len = get_unaligned_le16(skb->data); | 3338 | pi->sdu_len = get_unaligned_le16(skb->data); |
3339 | skb_pull(skb, 2); | 3339 | skb_pull(skb, 2); |
3340 | 3340 | ||
3341 | if (pi->sdu_len > pi->imtu) { | ||
3342 | err = -EMSGSIZE; | ||
3343 | break; | ||
3344 | } | ||
3345 | |||
3341 | pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC); | 3346 | pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC); |
3342 | if (!pi->sdu) { | 3347 | if (!pi->sdu) { |
3343 | err = -ENOMEM; | 3348 | err = -ENOMEM; |