Hi Dan,
* Dan Carpenter <dan.carpenter@xxxxxxxxxx> [2013-05-30 11:05:10 +0300]:
> "len" can be negative here. It's harmless but pretty subtle and
> scary looking so lets add a check for it.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index a1b7a02..438f39e 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -4069,6 +4069,9 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn,
> BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
> result, len);
>
> + if (len < 0)
> + return -EINVAL;
> +
> chan = l2cap_get_chan_by_scid(conn, scid);
> if (!chan)
> return 0;
We already pushed to bluetooth.git a more comprehensive patch to fix this
issue and others over the code. Thanks anyway for sending this.
Gustavo
Attachment:
pgpgYKZrLcek9.pgp
Description: PGP signature
