diff options
Diffstat (limited to 'net/bluetooth/l2cap.c')
| -rw-r--r-- | net/bluetooth/l2cap.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 36cd4e4e6ad1..ac00f5fac2d2 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c | |||
| @@ -3627,10 +3627,17 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk | |||
| 3627 | if (l2cap_check_fcs(pi, skb)) | 3627 | if (l2cap_check_fcs(pi, skb)) |
| 3628 | goto drop; | 3628 | goto drop; |
| 3629 | 3629 | ||
| 3630 | if (__is_iframe(control)) | 3630 | if (__is_iframe(control)) { |
| 3631 | if (len < 4) | ||
| 3632 | goto drop; | ||
| 3633 | |||
| 3631 | l2cap_data_channel_iframe(sk, control, skb); | 3634 | l2cap_data_channel_iframe(sk, control, skb); |
| 3632 | else | 3635 | } else { |
| 3636 | if (len != 0) | ||
| 3637 | goto drop; | ||
| 3638 | |||
| 3633 | l2cap_data_channel_sframe(sk, control, skb); | 3639 | l2cap_data_channel_sframe(sk, control, skb); |
| 3640 | } | ||
| 3634 | 3641 | ||
| 3635 | goto done; | 3642 | goto done; |
| 3636 | 3643 | ||
| @@ -3645,7 +3652,8 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk | |||
| 3645 | if (pi->fcs == L2CAP_FCS_CRC16) | 3652 | if (pi->fcs == L2CAP_FCS_CRC16) |
| 3646 | len -= 2; | 3653 | len -= 2; |
| 3647 | 3654 | ||
| 3648 | if (len > L2CAP_DEFAULT_MAX_PDU_SIZE || __is_sframe(control)) | 3655 | if (len > L2CAP_DEFAULT_MAX_PDU_SIZE || len < 4 |
| 3656 | || __is_sframe(control)) | ||
| 3649 | goto drop; | 3657 | goto drop; |
| 3650 | 3658 | ||
| 3651 | if (l2cap_check_fcs(pi, skb)) | 3659 | if (l2cap_check_fcs(pi, skb)) |