Bluetooth: Check the SDU size against the MTU value
authorGustavo F. Padovan <padovan@profusion.mobi>
Sat, 1 May 2010 19:15:40 +0000 (16:15 -0300)
committerMarcel Holtmann <marcel@holtmann.org>
Mon, 10 May 2010 07:28:49 +0000 (09:28 +0200)
If the SDU size is greater than the MTU something is wrong, so report
an error.

Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
[jprvita@profusion.mobi: set err to appropriate errno value]
Signed-off-by: João Paulo Rechi Vita <jprvita@profusion.mobi>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
net/bluetooth/l2cap.c

index 0889949b6896004eb79f5510bb2fb4d6f8269150..e936913c921ebef73d30a47bab1b4f06638ff12e 100644 (file)
@@ -3338,6 +3338,11 @@ static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 co
                pi->sdu_len = get_unaligned_le16(skb->data);
                skb_pull(skb, 2);
 
+               if (pi->sdu_len > pi->imtu) {
+                       err = -EMSGSIZE;
+                       break;
+               }
+
                pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
                if (!pi->sdu) {
                        err = -ENOMEM;