[BLUETOOTH]: pass (host-endian) cmd length as explicit argument to l2cap_conf_req()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
8e036fc314
commit
88219a0f65
1 changed files with 11 additions and 9 deletions
|
@ -1530,7 +1530,7 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
|
static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
|
||||||
{
|
{
|
||||||
struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
|
struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
|
||||||
u16 dcid, flags;
|
u16 dcid, flags;
|
||||||
|
@ -1550,7 +1550,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
|
||||||
goto unlock;
|
goto unlock;
|
||||||
|
|
||||||
/* Reject if config buffer is too small. */
|
/* Reject if config buffer is too small. */
|
||||||
len = cmd->len - sizeof(*req);
|
len = cmd_len - sizeof(*req);
|
||||||
if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
|
if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
|
||||||
l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
|
l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
|
||||||
l2cap_build_conf_rsp(sk, rsp,
|
l2cap_build_conf_rsp(sk, rsp,
|
||||||
|
@ -1748,15 +1748,17 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk
|
||||||
l2cap_raw_recv(conn, skb);
|
l2cap_raw_recv(conn, skb);
|
||||||
|
|
||||||
while (len >= L2CAP_CMD_HDR_SIZE) {
|
while (len >= L2CAP_CMD_HDR_SIZE) {
|
||||||
|
u16 cmd_len;
|
||||||
memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
|
memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
|
||||||
data += L2CAP_CMD_HDR_SIZE;
|
data += L2CAP_CMD_HDR_SIZE;
|
||||||
len -= L2CAP_CMD_HDR_SIZE;
|
len -= L2CAP_CMD_HDR_SIZE;
|
||||||
|
|
||||||
cmd.len = __le16_to_cpu(cmd.len);
|
cmd_len = le16_to_cpu(cmd.len);
|
||||||
|
cmd.len = cmd_len;
|
||||||
|
|
||||||
BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd.len, cmd.ident);
|
BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
|
||||||
|
|
||||||
if (cmd.len > len || !cmd.ident) {
|
if (cmd_len > len || !cmd.ident) {
|
||||||
BT_DBG("corrupted command");
|
BT_DBG("corrupted command");
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -1775,7 +1777,7 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case L2CAP_CONF_REQ:
|
case L2CAP_CONF_REQ:
|
||||||
err = l2cap_config_req(conn, &cmd, data);
|
err = l2cap_config_req(conn, &cmd, cmd_len, data);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case L2CAP_CONF_RSP:
|
case L2CAP_CONF_RSP:
|
||||||
|
@ -1791,7 +1793,7 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case L2CAP_ECHO_REQ:
|
case L2CAP_ECHO_REQ:
|
||||||
l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd.len, data);
|
l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case L2CAP_ECHO_RSP:
|
case L2CAP_ECHO_RSP:
|
||||||
|
@ -1820,8 +1822,8 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk
|
||||||
l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
|
l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
|
||||||
}
|
}
|
||||||
|
|
||||||
data += cmd.len;
|
data += cmd_len;
|
||||||
len -= cmd.len;
|
len -= cmd_len;
|
||||||
}
|
}
|
||||||
|
|
||||||
kfree_skb(skb);
|
kfree_skb(skb);
|
||||||
|
|
Loading…
Reference in a new issue