diff options
| author | Johan Hedberg <johan.hedberg@intel.com> | 2012-10-19 13:10:46 -0400 |
|---|---|---|
| committer | Gustavo Padovan <gustavo.padovan@collabora.co.uk> | 2012-11-09 10:45:37 -0500 |
| commit | 476e44cb19f1fbf2d5883dddcc0ce31b33b45915 (patch) | |
| tree | ee7320286f066bfec7739bb8f083367d47fe2d74 /net | |
| parent | 6fe7cc71bbf3a0bc28c9cec3c00bc11e81344412 (diff) | |
Bluetooth: Fix having bogus entries in mgmt_read_index_list reply
The mgmt_read_index_list uses one loop to calculate the max needed size
of its response with the help of an upper-bound of the controller count.
The second loop is more strict as it checks for HCI_SETUP (which might
have gotten set after the first loop) and could result in some indexes
being skipped. Because of this the function needs to readjust the event
length and index count after filling in the response array.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Cc: stable@vger.kernel.org
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Diffstat (limited to 'net')
| -rw-r--r-- | net/bluetooth/mgmt.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index aa2ea0a8142c..2cfabe27d3e0 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c | |||
| @@ -326,7 +326,7 @@ static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data, | |||
| 326 | struct hci_dev *d; | 326 | struct hci_dev *d; |
| 327 | size_t rp_len; | 327 | size_t rp_len; |
| 328 | u16 count; | 328 | u16 count; |
| 329 | int i, err; | 329 | int err; |
| 330 | 330 | ||
| 331 | BT_DBG("sock %p", sk); | 331 | BT_DBG("sock %p", sk); |
| 332 | 332 | ||
| @@ -347,9 +347,7 @@ static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data, | |||
| 347 | return -ENOMEM; | 347 | return -ENOMEM; |
| 348 | } | 348 | } |
| 349 | 349 | ||
| 350 | rp->num_controllers = cpu_to_le16(count); | 350 | count = 0; |
| 351 | |||
| 352 | i = 0; | ||
| 353 | list_for_each_entry(d, &hci_dev_list, list) { | 351 | list_for_each_entry(d, &hci_dev_list, list) { |
| 354 | if (test_bit(HCI_SETUP, &d->dev_flags)) | 352 | if (test_bit(HCI_SETUP, &d->dev_flags)) |
| 355 | continue; | 353 | continue; |
| @@ -357,10 +355,13 @@ static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data, | |||
| 357 | if (!mgmt_valid_hdev(d)) | 355 | if (!mgmt_valid_hdev(d)) |
| 358 | continue; | 356 | continue; |
| 359 | 357 | ||
| 360 | rp->index[i++] = cpu_to_le16(d->id); | 358 | rp->index[count++] = cpu_to_le16(d->id); |
| 361 | BT_DBG("Added hci%u", d->id); | 359 | BT_DBG("Added hci%u", d->id); |
| 362 | } | 360 | } |
| 363 | 361 | ||
| 362 | rp->num_controllers = cpu_to_le16(count); | ||
| 363 | rp_len = sizeof(*rp) + (2 * count); | ||
| 364 | |||
| 364 | read_unlock(&hci_dev_list_lock); | 365 | read_unlock(&hci_dev_list_lock); |
| 365 | 366 | ||
| 366 | err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST, 0, rp, | 367 | err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST, 0, rp, |