diff options
Diffstat (limited to 'net/bluetooth/l2cap.c')
-rw-r--r-- | net/bluetooth/l2cap.c | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 09126bf06840..03309d29d301 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c | |||
@@ -1530,7 +1530,7 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd | |||
1530 | return 0; | 1530 | return 0; |
1531 | } | 1531 | } |
1532 | 1532 | ||
1533 | static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) | 1533 | static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) |
1534 | { | 1534 | { |
1535 | struct l2cap_conf_req *req = (struct l2cap_conf_req *) data; | 1535 | struct l2cap_conf_req *req = (struct l2cap_conf_req *) data; |
1536 | u16 dcid, flags; | 1536 | u16 dcid, flags; |
@@ -1550,7 +1550,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr | |||
1550 | goto unlock; | 1550 | goto unlock; |
1551 | 1551 | ||
1552 | /* Reject if config buffer is too small. */ | 1552 | /* Reject if config buffer is too small. */ |
1553 | len = cmd->len - sizeof(*req); | 1553 | len = cmd_len - sizeof(*req); |
1554 | if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { | 1554 | if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { |
1555 | l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, | 1555 | l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, |
1556 | l2cap_build_conf_rsp(sk, rsp, | 1556 | l2cap_build_conf_rsp(sk, rsp, |
@@ -1748,15 +1748,17 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk | |||
1748 | l2cap_raw_recv(conn, skb); | 1748 | l2cap_raw_recv(conn, skb); |
1749 | 1749 | ||
1750 | while (len >= L2CAP_CMD_HDR_SIZE) { | 1750 | while (len >= L2CAP_CMD_HDR_SIZE) { |
1751 | u16 cmd_len; | ||
1751 | memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE); | 1752 | memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE); |
1752 | data += L2CAP_CMD_HDR_SIZE; | 1753 | data += L2CAP_CMD_HDR_SIZE; |
1753 | len -= L2CAP_CMD_HDR_SIZE; | 1754 | len -= L2CAP_CMD_HDR_SIZE; |
1754 | 1755 | ||
1755 | cmd.len = __le16_to_cpu(cmd.len); | 1756 | cmd_len = le16_to_cpu(cmd.len); |
1757 | cmd.len = cmd_len; | ||
1756 | 1758 | ||
1757 | BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd.len, cmd.ident); | 1759 | BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident); |
1758 | 1760 | ||
1759 | if (cmd.len > len || !cmd.ident) { | 1761 | if (cmd_len > len || !cmd.ident) { |
1760 | BT_DBG("corrupted command"); | 1762 | BT_DBG("corrupted command"); |
1761 | break; | 1763 | break; |
1762 | } | 1764 | } |
@@ -1775,7 +1777,7 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk | |||
1775 | break; | 1777 | break; |
1776 | 1778 | ||
1777 | case L2CAP_CONF_REQ: | 1779 | case L2CAP_CONF_REQ: |
1778 | err = l2cap_config_req(conn, &cmd, data); | 1780 | err = l2cap_config_req(conn, &cmd, cmd_len, data); |
1779 | break; | 1781 | break; |
1780 | 1782 | ||
1781 | case L2CAP_CONF_RSP: | 1783 | case L2CAP_CONF_RSP: |
@@ -1791,7 +1793,7 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk | |||
1791 | break; | 1793 | break; |
1792 | 1794 | ||
1793 | case L2CAP_ECHO_REQ: | 1795 | case L2CAP_ECHO_REQ: |
1794 | l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd.len, data); | 1796 | l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data); |
1795 | break; | 1797 | break; |
1796 | 1798 | ||
1797 | case L2CAP_ECHO_RSP: | 1799 | case L2CAP_ECHO_RSP: |
@@ -1820,8 +1822,8 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk | |||
1820 | l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); | 1822 | l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); |
1821 | } | 1823 | } |
1822 | 1824 | ||
1823 | data += cmd.len; | 1825 | data += cmd_len; |
1824 | len -= cmd.len; | 1826 | len -= cmd_len; |
1825 | } | 1827 | } |
1826 | 1828 | ||
1827 | kfree_skb(skb); | 1829 | kfree_skb(skb); |