Hi Greg, >> When doing option parsing for standard type values of 1, 2 or 4 octets, >> the value is converted directly into a variable instead of a pointer. To >> avoid being tricked into being a pointer, check that for these option >> types that sizes actually match. In L2CAP every option is fixed size and >> thus it is prudent anyway to ensure that the remote side sends us the >> right option size along with option paramters. >> >> If the option size is not matching the option type, then that option is >> silently ignored. It is a protocol violation and instead of trying to >> give the remote attacker any further hints just pretend that option is >> not present and proceed with the default values. Implementation >> following the specification and its qualification procedures will always >> use the correct size and thus not being impacted here. >> >> To keep the code readable and consistent accross all options, a few >> cosmetic changes were also required. > > Ah, that's a much nicer patch than mine, I like it. As long as the code > for handling things when an option is not set properly works ok (which > I'm guessing it is as that would have been found out long ago), this > makes everything much simpler. we treat it as the option would not be present and that is allowed since Bluetooth 1.0b and works just fine. Regards Marcel
