diff options
| author | Marcel Holtmann <marcel@holtmann.org> | 2015-04-01 16:51:54 -0400 |
|---|---|---|
| committer | Johan Hedberg <johan.hedberg@intel.com> | 2015-04-02 01:44:02 -0400 |
| commit | 0151e426b150db17992b49fa9ce96b79dace2aed (patch) | |
| tree | 572059f3f21b9a4b794d79705d8f7de00d8378c1 /net/bluetooth | |
| parent | 5f5da99f1da5b01c7c45473a500c7dbb77a00958 (diff) | |
Bluetooth: Restrict BNEP flags to only valid ones
The BNEP flags should be clearly restricted to valid ones. So this puts
extra checks in place to ensure this.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Diffstat (limited to 'net/bluetooth')
| -rw-r--r-- | net/bluetooth/bnep/core.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c index 05f57e491ccb..c05eccc1cf82 100644 --- a/net/bluetooth/bnep/core.c +++ b/net/bluetooth/bnep/core.c | |||
| @@ -525,6 +525,7 @@ static struct device_type bnep_type = { | |||
| 525 | 525 | ||
| 526 | int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock) | 526 | int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock) |
| 527 | { | 527 | { |
| 528 | u32 valid_flags = 0; | ||
| 528 | struct net_device *dev; | 529 | struct net_device *dev; |
| 529 | struct bnep_session *s, *ss; | 530 | struct bnep_session *s, *ss; |
| 530 | u8 dst[ETH_ALEN], src[ETH_ALEN]; | 531 | u8 dst[ETH_ALEN], src[ETH_ALEN]; |
| @@ -535,6 +536,9 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock) | |||
| 535 | if (!l2cap_is_socket(sock)) | 536 | if (!l2cap_is_socket(sock)) |
| 536 | return -EBADFD; | 537 | return -EBADFD; |
| 537 | 538 | ||
| 539 | if (req->flags & ~valid_flags) | ||
| 540 | return -EINVAL; | ||
| 541 | |||
| 538 | baswap((void *) dst, &l2cap_pi(sock->sk)->chan->dst); | 542 | baswap((void *) dst, &l2cap_pi(sock->sk)->chan->dst); |
| 539 | baswap((void *) src, &l2cap_pi(sock->sk)->chan->src); | 543 | baswap((void *) src, &l2cap_pi(sock->sk)->chan->src); |
| 540 | 544 | ||
| @@ -611,11 +615,15 @@ failed: | |||
| 611 | 615 | ||
| 612 | int bnep_del_connection(struct bnep_conndel_req *req) | 616 | int bnep_del_connection(struct bnep_conndel_req *req) |
| 613 | { | 617 | { |
| 618 | u32 valid_flags = 0; | ||
| 614 | struct bnep_session *s; | 619 | struct bnep_session *s; |
| 615 | int err = 0; | 620 | int err = 0; |
| 616 | 621 | ||
| 617 | BT_DBG(""); | 622 | BT_DBG(""); |
| 618 | 623 | ||
| 624 | if (req->flags & ~valid_flags) | ||
| 625 | return -EINVAL; | ||
| 626 | |||
| 619 | down_read(&bnep_session_sem); | 627 | down_read(&bnep_session_sem); |
| 620 | 628 | ||
| 621 | s = __bnep_get_session(req->dst); | 629 | s = __bnep_get_session(req->dst); |
| @@ -631,10 +639,12 @@ int bnep_del_connection(struct bnep_conndel_req *req) | |||
| 631 | 639 | ||
| 632 | static void __bnep_copy_ci(struct bnep_conninfo *ci, struct bnep_session *s) | 640 | static void __bnep_copy_ci(struct bnep_conninfo *ci, struct bnep_session *s) |
| 633 | { | 641 | { |
| 642 | u32 valid_flags = 0; | ||
| 643 | |||
| 634 | memset(ci, 0, sizeof(*ci)); | 644 | memset(ci, 0, sizeof(*ci)); |
| 635 | memcpy(ci->dst, s->eh.h_source, ETH_ALEN); | 645 | memcpy(ci->dst, s->eh.h_source, ETH_ALEN); |
| 636 | strcpy(ci->device, s->dev->name); | 646 | strcpy(ci->device, s->dev->name); |
| 637 | ci->flags = s->flags; | 647 | ci->flags = s->flags & valid_flags; |
| 638 | ci->state = s->state; | 648 | ci->state = s->state; |
| 639 | ci->role = s->role; | 649 | ci->role = s->role; |
| 640 | } | 650 | } |