From: Gustavo F. Padovan Date: Sat, 1 May 2010 19:15:40 +0000 (-0300) Subject: Bluetooth: Check the SDU size against the MTU value X-Git-Tag: firefly_0821_release~9833^2~2087^2~206 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=052897ca5019d9157ae09e5e84eee2a9ef5dccc6;p=firefly-linux-kernel-4.4.55.git Bluetooth: Check the SDU size against the MTU value If the SDU size is greater than the MTU something is wrong, so report an error. Signed-off-by: Gustavo F. Padovan [jprvita@profusion.mobi: set err to appropriate errno value] Signed-off-by: João Paulo Rechi Vita Signed-off-by: Marcel Holtmann --- diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 0889949b6896..e936913c921e 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -3338,6 +3338,11 @@ static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 co pi->sdu_len = get_unaligned_le16(skb->data); skb_pull(skb, 2); + if (pi->sdu_len > pi->imtu) { + err = -EMSGSIZE; + break; + } + pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC); if (!pi->sdu) { err = -ENOMEM;