diff options
author | João Paulo Rechi Vita <jprvita@profusion.mobi> | 2010-05-31 17:35:44 -0400 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2010-07-21 13:39:04 -0400 |
commit | bfbacc11550a785caf082f3ccfcd7ecf882e09a4 (patch) | |
tree | 82ec0b4aa7003884a0dec27f944db0647fd1e028 /net/bluetooth/l2cap.c | |
parent | 6e2b6722abaa3f6042357e11f465488b7c12f94c (diff) |
Bluetooth: Fix SREJ_QUEUE corruption in L2CAP
Since all TxSeq values are modulo, we shall not compare them directly. We
have to compare their offset inside the TxWindow instead.
Signed-off-by: João Paulo Rechi Vita <jprvita@profusion.mobi>
Acked-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth/l2cap.c')
-rw-r--r-- | net/bluetooth/l2cap.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 69f098d98141..b89762134e4e 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c | |||
@@ -3394,6 +3394,8 @@ static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk) | |||
3394 | static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar) | 3394 | static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar) |
3395 | { | 3395 | { |
3396 | struct sk_buff *next_skb; | 3396 | struct sk_buff *next_skb; |
3397 | struct l2cap_pinfo *pi = l2cap_pi(sk); | ||
3398 | int tx_seq_offset, next_tx_seq_offset; | ||
3397 | 3399 | ||
3398 | bt_cb(skb)->tx_seq = tx_seq; | 3400 | bt_cb(skb)->tx_seq = tx_seq; |
3399 | bt_cb(skb)->sar = sar; | 3401 | bt_cb(skb)->sar = sar; |
@@ -3404,11 +3406,20 @@ static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_s | |||
3404 | return 0; | 3406 | return 0; |
3405 | } | 3407 | } |
3406 | 3408 | ||
3409 | tx_seq_offset = (tx_seq - pi->buffer_seq) % 64; | ||
3410 | if (tx_seq_offset < 0) | ||
3411 | tx_seq_offset += 64; | ||
3412 | |||
3407 | do { | 3413 | do { |
3408 | if (bt_cb(next_skb)->tx_seq == tx_seq) | 3414 | if (bt_cb(next_skb)->tx_seq == tx_seq) |
3409 | return -EINVAL; | 3415 | return -EINVAL; |
3410 | 3416 | ||
3411 | if (bt_cb(next_skb)->tx_seq > tx_seq) { | 3417 | next_tx_seq_offset = (bt_cb(next_skb)->tx_seq - |
3418 | pi->buffer_seq) % 64; | ||
3419 | if (next_tx_seq_offset < 0) | ||
3420 | next_tx_seq_offset += 64; | ||
3421 | |||
3422 | if (next_tx_seq_offset > tx_seq_offset) { | ||
3412 | __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb); | 3423 | __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb); |
3413 | return 0; | 3424 | return 0; |
3414 | } | 3425 | } |