diff options
author | Gustavo F. Padovan <padovan@profusion.mobi> | 2010-05-01 15:15:37 -0400 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2010-05-10 03:28:47 -0400 |
commit | 36f2fd585f43199f006a3b5ff84e95815102cd31 (patch) | |
tree | 39f854d840c8c450a51d03c32f04ac771671ecbe /net/bluetooth/l2cap.c | |
parent | 277ffbe362823d18a17792fbd8e507010e666299 (diff) |
Bluetooth: Check if SDU size is greater than MTU on L2CAP
After reassembly the SDU we need to check his size. It can't overflow
the MTU size.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Reviewed-by: João Paulo Rechi Vita <jprvita@profusion.mobi>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth/l2cap.c')
-rw-r--r-- | net/bluetooth/l2cap.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index ac00f5fac2d2..2e354d29f102 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c | |||
@@ -3277,15 +3277,19 @@ static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 co | |||
3277 | pi->conn_state &= ~L2CAP_CONN_SAR_SDU; | 3277 | pi->conn_state &= ~L2CAP_CONN_SAR_SDU; |
3278 | pi->partial_sdu_len += skb->len; | 3278 | pi->partial_sdu_len += skb->len; |
3279 | 3279 | ||
3280 | if (pi->partial_sdu_len > pi->imtu) | ||
3281 | goto drop; | ||
3282 | |||
3280 | if (pi->partial_sdu_len == pi->sdu_len) { | 3283 | if (pi->partial_sdu_len == pi->sdu_len) { |
3281 | _skb = skb_clone(pi->sdu, GFP_ATOMIC); | 3284 | _skb = skb_clone(pi->sdu, GFP_ATOMIC); |
3282 | err = sock_queue_rcv_skb(sk, _skb); | 3285 | err = sock_queue_rcv_skb(sk, _skb); |
3283 | if (err < 0) | 3286 | if (err < 0) |
3284 | kfree_skb(_skb); | 3287 | kfree_skb(_skb); |
3285 | } | 3288 | } |
3286 | kfree_skb(pi->sdu); | ||
3287 | err = 0; | 3289 | err = 0; |
3288 | 3290 | ||
3291 | drop: | ||
3292 | kfree_skb(pi->sdu); | ||
3289 | break; | 3293 | break; |
3290 | } | 3294 | } |
3291 | 3295 | ||