diff options
author | João Paulo Rechi Vita <jprvita@profusion.mobi> | 2010-05-01 21:15:43 +0200 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2010-05-10 09:28:51 +0200 |
commit | 01760bdde9a92413b7fff928d08e19352bf09d82 (patch) | |
tree | 3bee629d9b15e71c92fbb799498f5cb0dd89ceb9 /net/bluetooth/l2cap.c | |
parent | Bluetooth: Fix SDU reassembly under SREJ (diff) | |
download | linux-01760bdde9a92413b7fff928d08e19352bf09d82.tar.xz linux-01760bdde9a92413b7fff928d08e19352bf09d82.zip |
Bluetooth: Close L2CAP channel on invalid ReqSeq
Signed-off-by: João Paulo Rechi Vita <jprvita@profusion.mobi>
Acked-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to '')
-rw-r--r-- | net/bluetooth/l2cap.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 478def700c7c..31514d8faa66 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -3772,7 +3772,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk struct sock *sk; struct l2cap_pinfo *pi; u16 control, len; - u8 tx_seq; + u8 tx_seq, req_seq, next_tx_seq_offset, req_seq_offset; sk = l2cap_get_chan_by_scid(&conn->chan_list, cid); if (!sk) { @@ -3823,6 +3823,22 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk if (l2cap_check_fcs(pi, skb)) goto drop; + req_seq = __get_reqseq(control); + req_seq_offset = (req_seq - pi->expected_ack_seq) % 64; + if (req_seq_offset < 0) + req_seq_offset += 64; + + next_tx_seq_offset = + (pi->next_tx_seq - pi->expected_ack_seq) % 64; + if (next_tx_seq_offset < 0) + next_tx_seq_offset += 64; + + /* check for invalid req-seq */ + if (req_seq_offset > next_tx_seq_offset) { + l2cap_send_disconn_req(pi->conn, sk); + goto drop; + } + if (__is_iframe(control)) { if (len < 4) goto drop; |