3 files changed, 6 insertions, 3 deletions

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 7794a2e2adce..99d68c34e4f1 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -1002,7 +1002,8 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
 
         BT_DBG("sk %p", sk);
 
-        if (!addr || addr->sa_family != AF_BLUETOOTH)
+        if (!addr || alen < sizeof(addr->sa_family) ||
+            addr->sa_family != AF_BLUETOOTH)
                 return -EINVAL;
 
         memset(&la, 0, sizeof(la));
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 7f439765403d..8ed3c37684fa 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -397,7 +397,8 @@ static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int a
 
         BT_DBG("sk %p", sk);
 
-        if (addr->sa_family != AF_BLUETOOTH || alen < sizeof(struct sockaddr_rc))
+        if (alen < sizeof(struct sockaddr_rc) ||
+            addr->sa_family != AF_BLUETOOTH)
                 return -EINVAL;
 
         lock_sock(sk);
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index e5b16b76b22e..ca6b2ad1c3fc 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -499,7 +499,8 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen
 
         BT_DBG("sk %p", sk);
 
-        if (addr->sa_family != AF_BLUETOOTH || alen < sizeof(struct sockaddr_sco))
+        if (alen < sizeof(struct sockaddr_sco) ||
+            addr->sa_family != AF_BLUETOOTH)
                 return -EINVAL;
 
         if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)