aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth/bnep
diff options
context:
space:
mode:
Diffstat (limited to 'net/bluetooth/bnep')
-rw-r--r--net/bluetooth/bnep/core.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 03d4d1245d58..940b4e129741 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -187,6 +187,8 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
187 n /= (ETH_ALEN * 2); 187 n /= (ETH_ALEN * 2);
188 188
189 if (n > 0) { 189 if (n > 0) {
190 int i;
191
190 s->mc_filter = 0; 192 s->mc_filter = 0;
191 193
192 /* Always send broadcast */ 194 /* Always send broadcast */
@@ -202,12 +204,14 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
202 BT_DBG("mc filter %s -> %s", 204 BT_DBG("mc filter %s -> %s",
203 batostr((void *) a1), batostr((void *) a2)); 205 batostr((void *) a1), batostr((void *) a2));
204 206
205 #define INCA(a) { int i = 5; while (i >=0 && ++a[i--] == 0); }
206
207 /* Iterate from a1 to a2 */ 207 /* Iterate from a1 to a2 */
208 set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter); 208 set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter);
209 while (memcmp(a1, a2, 6) < 0 && s->mc_filter != ~0LL) { 209 while (memcmp(a1, a2, 6) < 0 && s->mc_filter != ~0LL) {
210 INCA(a1); 210 /* Increment a1 */
211 i = 5;
212 while (i >= 0 && ++a1[i--] == 0)
213 ;
214
211 set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter); 215 set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter);
212 } 216 }
213 } 217 }
@@ -302,7 +306,6 @@ static u8 __bnep_rx_hlen[] = {
302 ETH_ALEN + 2, /* BNEP_COMPRESSED_SRC_ONLY */ 306 ETH_ALEN + 2, /* BNEP_COMPRESSED_SRC_ONLY */
303 ETH_ALEN + 2 /* BNEP_COMPRESSED_DST_ONLY */ 307 ETH_ALEN + 2 /* BNEP_COMPRESSED_DST_ONLY */
304}; 308};
305#define BNEP_RX_TYPES (sizeof(__bnep_rx_hlen) - 1)
306 309
307static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb) 310static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
308{ 311{
@@ -314,7 +317,7 @@ static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
314 317
315 type = *(u8 *) skb->data; skb_pull(skb, 1); 318 type = *(u8 *) skb->data; skb_pull(skb, 1);
316 319
317 if ((type & BNEP_TYPE_MASK) > BNEP_RX_TYPES) 320 if ((type & BNEP_TYPE_MASK) >= sizeof(__bnep_rx_hlen))
318 goto badframe; 321 goto badframe;
319 322
320 if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) { 323 if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) {