aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
authorJoão Paulo Rechi Vita <jprvita@profusion.mobi>2010-05-31 17:35:44 -0400
committerMarcel Holtmann <marcel@holtmann.org>2010-07-21 13:39:04 -0400
commitbfbacc11550a785caf082f3ccfcd7ecf882e09a4 (patch)
tree82ec0b4aa7003884a0dec27f944db0647fd1e028 /net/bluetooth
parent6e2b6722abaa3f6042357e11f465488b7c12f94c (diff)
Bluetooth: Fix SREJ_QUEUE corruption in L2CAP
Since all TxSeq values are modulo, we shall not compare them directly. We have to compare their offset inside the TxWindow instead. Signed-off-by: João Paulo Rechi Vita <jprvita@profusion.mobi> Acked-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/l2cap.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 69f098d98141..b89762134e4e 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -3394,6 +3394,8 @@ static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3394static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar) 3394static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
3395{ 3395{
3396 struct sk_buff *next_skb; 3396 struct sk_buff *next_skb;
3397 struct l2cap_pinfo *pi = l2cap_pi(sk);
3398 int tx_seq_offset, next_tx_seq_offset;
3397 3399
3398 bt_cb(skb)->tx_seq = tx_seq; 3400 bt_cb(skb)->tx_seq = tx_seq;
3399 bt_cb(skb)->sar = sar; 3401 bt_cb(skb)->sar = sar;
@@ -3404,11 +3406,20 @@ static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_s
3404 return 0; 3406 return 0;
3405 } 3407 }
3406 3408
3409 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3410 if (tx_seq_offset < 0)
3411 tx_seq_offset += 64;
3412
3407 do { 3413 do {
3408 if (bt_cb(next_skb)->tx_seq == tx_seq) 3414 if (bt_cb(next_skb)->tx_seq == tx_seq)
3409 return -EINVAL; 3415 return -EINVAL;
3410 3416
3411 if (bt_cb(next_skb)->tx_seq > tx_seq) { 3417 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
3418 pi->buffer_seq) % 64;
3419 if (next_tx_seq_offset < 0)
3420 next_tx_seq_offset += 64;
3421
3422 if (next_tx_seq_offset > tx_seq_offset) {
3412 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb); 3423 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
3413 return 0; 3424 return 0;
3414 } 3425 }