On Fri, Jan 18, 2019 at 12:56:20PM +0100, Marcel Holtmann wrote: > When doing option parsing for standard type values of 1, 2 or 4 octets, > the value is converted directly into a variable instead of a pointer. To > avoid being tricked into being a pointer, check that for these option > types that sizes actually match. In L2CAP every option is fixed size and > thus it is prudent anyway to ensure that the remote side sends us the > right option size along with option paramters. > > If the option size is not matching the option type, then that option is > silently ignored. It is a protocol violation and instead of trying to > give the remote attacker any further hints just pretend that option is > not present and proceed with the default values. Implementation > following the specification and its qualification procedures will always > use the correct size and thus not being impacted here. > > To keep the code readable and consistent accross all options, a few > cosmetic changes were also required. Ah, that's a much nicer patch than mine, I like it. As long as the code for handling things when an option is not set properly works ok (which I'm guessing it is as that would have been found out long ago), this makes everything much simpler. > Signed-off-by: Marcel Holtmann <marcel@xxxxxxxxxxxx> Reviewed-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>