summaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
authorAndrei Emeltchenko <andrei.emeltchenko@nokia.com>2010-09-15 13:28:43 +0200
committerGustavo F. Padovan <padovan@profusion.mobi>2010-10-12 17:44:52 +0200
commitaae7fe22a875a84e328469e228cba033ebbf20cb (patch)
tree7d626dac2d97753784bd85f23c2480682c7f6745 /net/bluetooth
parentBluetooth: check L2CAP length in first ACL fragment (diff)
downloadlinux-aae7fe22a875a84e328469e228cba033ebbf20cb.tar.xz
linux-aae7fe22a875a84e328469e228cba033ebbf20cb.zip
Bluetooth: check for l2cap header in start fragment
BLUETOOTH SPECIFICATION Version 4.0 [Vol 3] page 36 mentioned "Note: Start Fragments always begin with the Basic L2CAP header of a PDU." Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/l2cap.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 5441083ff1ca..7da6432f6799 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -4675,7 +4675,8 @@ static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 fl
l2cap_conn_unreliable(conn, ECOMM);
}
- if (skb->len < 2) {
+ /* Start fragment always begin with Basic L2CAP header */
+ if (skb->len < L2CAP_HDR_SIZE) {
BT_ERR("Frame is too short (len %d)", skb->len);
l2cap_conn_unreliable(conn, ECOMM);
goto drop;