aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/bluetooth/l2cap.c20
1 files changed, 11 insertions, 9 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 09126bf06840..03309d29d301 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -1530,7 +1530,7 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
1530 return 0; 1530 return 0;
1531} 1531}
1532 1532
1533static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) 1533static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1534{ 1534{
1535 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data; 1535 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
1536 u16 dcid, flags; 1536 u16 dcid, flags;
@@ -1550,7 +1550,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
1550 goto unlock; 1550 goto unlock;
1551 1551
1552 /* Reject if config buffer is too small. */ 1552 /* Reject if config buffer is too small. */
1553 len = cmd->len - sizeof(*req); 1553 len = cmd_len - sizeof(*req);
1554 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { 1554 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
1555 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 1555 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
1556 l2cap_build_conf_rsp(sk, rsp, 1556 l2cap_build_conf_rsp(sk, rsp,
@@ -1748,15 +1748,17 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk
1748 l2cap_raw_recv(conn, skb); 1748 l2cap_raw_recv(conn, skb);
1749 1749
1750 while (len >= L2CAP_CMD_HDR_SIZE) { 1750 while (len >= L2CAP_CMD_HDR_SIZE) {
1751 u16 cmd_len;
1751 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE); 1752 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
1752 data += L2CAP_CMD_HDR_SIZE; 1753 data += L2CAP_CMD_HDR_SIZE;
1753 len -= L2CAP_CMD_HDR_SIZE; 1754 len -= L2CAP_CMD_HDR_SIZE;
1754 1755
1755 cmd.len = __le16_to_cpu(cmd.len); 1756 cmd_len = le16_to_cpu(cmd.len);
1757 cmd.len = cmd_len;
1756 1758
1757 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd.len, cmd.ident); 1759 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1758 1760
1759 if (cmd.len > len || !cmd.ident) { 1761 if (cmd_len > len || !cmd.ident) {
1760 BT_DBG("corrupted command"); 1762 BT_DBG("corrupted command");
1761 break; 1763 break;
1762 } 1764 }
@@ -1775,7 +1777,7 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk
1775 break; 1777 break;
1776 1778
1777 case L2CAP_CONF_REQ: 1779 case L2CAP_CONF_REQ:
1778 err = l2cap_config_req(conn, &cmd, data); 1780 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1779 break; 1781 break;
1780 1782
1781 case L2CAP_CONF_RSP: 1783 case L2CAP_CONF_RSP:
@@ -1791,7 +1793,7 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk
1791 break; 1793 break;
1792 1794
1793 case L2CAP_ECHO_REQ: 1795 case L2CAP_ECHO_REQ:
1794 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd.len, data); 1796 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1795 break; 1797 break;
1796 1798
1797 case L2CAP_ECHO_RSP: 1799 case L2CAP_ECHO_RSP:
@@ -1820,8 +1822,8 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk
1820 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); 1822 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
1821 } 1823 }
1822 1824
1823 data += cmd.len; 1825 data += cmd_len;
1824 len -= cmd.len; 1826 len -= cmd_len;
1825 } 1827 }
1826 1828
1827 kfree_skb(skb); 1829 kfree_skb(skb);