Bluetooth: check L2CAP info_rsp ident and state
authorAndrei Emeltchenko <andrei.emeltchenko@nokia.com>
Fri, 25 Mar 2011 09:31:41 +0000 (11:31 +0200)
committerGustavo F. Padovan <padovan@profusion.mobi>
Thu, 31 Mar 2011 17:22:58 +0000 (14:22 -0300)
Information requests/responses are unbound to L2CAP channel. Patch
fixes issue arising when two devices connects at the same time to
each other. This way we do not process out of the context messages.
We are safe dropping info_rsp since info_timer is left running.

Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
net/bluetooth/l2cap_core.c

index bf09f6027bd2f6c6342b7bb0b045dbe3a2aa053e..033c83be3524147847451fa5988391bb105fff62 100644 (file)
@@ -2461,6 +2461,11 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm
 
        BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
 
+       /* L2CAP Info req/rsp are unbound to channels, add extra checks */
+       if (cmd->ident != conn->info_ident ||
+                       conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
+               return 0;
+
        del_timer(&conn->info_timer);
 
        if (result != L2CAP_IR_SUCCESS) {