Hi Marcel, On Fri, Jan 18, 2019, Marcel Holtmann wrote: > When doing option parsing for standard type values of 1, 2 or 4 octets, > the value is converted directly into a variable instead of a pointer. To > avoid being tricked into being a pointer, check that for these option > types that sizes actually match. In L2CAP every option is fixed size and > thus it is prudent anyway to ensure that the remote side sends us the > right option size along with option paramters. > > If the option size is not matching the option type, then that option is > silently ignored. It is a protocol violation and instead of trying to > give the remote attacker any further hints just pretend that option is > not present and proceed with the default values. Implementation > following the specification and its qualification procedures will always > use the correct size and thus not being impacted here. > > To keep the code readable and consistent accross all options, a few > cosmetic changes were also required. > > Signed-off-by: Marcel Holtmann <marcel@xxxxxxxxxxxx> > --- > net/bluetooth/l2cap_core.c | 77 +++++++++++++++++++++++--------------- > 1 file changed, 46 insertions(+), 31 deletions(-) Applied to bluetooth-next. Thanks. Johan
