Bluetooth: Fix using uninitialized option in RFCMode

If remote device sends bogus RFC option with invalid length, undefined options values are used. Fix this by using defaults when remote misbehaves. This also fixes the following warning reported by gcc 4.7.0: net/bluetooth/l2cap_core.c: In function 'l2cap_config_rsp': net/bluetooth/l2cap_core.c:3302:13: warning: 'rfc.max_pdu_size' may be used uninitialized in this function [-Wmaybe-uninitialized] net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.max_pdu_size' was declared here net/bluetooth/l2cap_core.c:3298:25: warning: 'rfc.monitor_timeout' may be used uninitialized in this function [-Wmaybe-uninitialized] net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.monitor_timeout' was declared here net/bluetooth/l2cap_core.c:3297:25: warning: 'rfc.retrans_timeout' may be used uninitialized in this function [-Wmaybe-uninitialized] net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.retrans_timeout' was declared here net/bluetooth/l2cap_core.c:3295:2: warning: 'rfc.mode' may be used uninitialized in this function [-Wmaybe-uninitialized] net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.mode' was declared here Signed-off-by: Szymon Janc <szymon.janc@tieto.com> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
author: Szymon Janc <szymon.janc@tieto.com> 2012-06-08 05:33:33 -0400
committer: Gustavo Padovan <gustavo.padovan@collabora.co.uk> 2012-06-11 22:50:28 -0400
commit: 8f321f853ea33330c7141977cd34804476e2e07e (patch)
tree: 6b9a68b87086b13cac84d3bb300b666f133a0e6a /net
parent: 6eda541d12116b4772baa09d3e8d7b0389df4289 (diff)
1 files changed, 8 insertions, 6 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 8394e3615ef6..4554e80d16a3 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -2915,12 +2915,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
        while (len >= L2CAP_CONF_OPT_SIZE) {
                len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
-                switch (type) {
+                if (type != L2CAP_CONF_RFC)
-                case L2CAP_CONF_RFC:
+                        continue;
-                        if (olen == sizeof(rfc))
-                                memcpy(&rfc, (void *)val, olen);
+                if (olen != sizeof(rfc))
-                        goto done;
+                        break;
-                }
+                memcpy(&rfc, (void *)val, olen);
+                goto done;
        }
        /* Use sane default values in case a misbehaving remote device
author	Szymon Janc <szymon.janc@tieto.com>	2012-06-08 05:33:33 -0400
committer	Gustavo Padovan <gustavo.padovan@collabora.co.uk>	2012-06-11 22:50:28 -0400
commit	8f321f853ea33330c7141977cd34804476e2e07e (patch)
tree	6b9a68b87086b13cac84d3bb300b666f133a0e6a /net
parent	6eda541d12116b4772baa09d3e8d7b0389df4289 (diff)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 8394e3615ef6..4554e80d16a3 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c
@@ -2915,12 +2915,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan chan, void rsp, int len)
2915	while (len >= L2CAP_CONF_OPT_SIZE) {	2915	while (len >= L2CAP_CONF_OPT_SIZE) {
2916	len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);	2916	len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2917		2917
2918	switch (type) {	2918	if (type != L2CAP_CONF_RFC)
2919	case L2CAP_CONF_RFC:	2919	continue;
2920	if (olen == sizeof(rfc))	2920
2921	memcpy(&rfc, (void *)val, olen);	2921	if (olen != sizeof(rfc))
2922	goto done;	2922	break;
2923	}	2923
		2924	memcpy(&rfc, (void *)val, olen);
		2925	goto done;
2924	}	2926	}
2925		2927
2926	/* Use sane default values in case a misbehaving remote device	2928	/* Use sane default values in case a misbehaving remote device