From: Gustavo F. Padovan Date: Sat, 1 May 2010 19:15:37 +0000 (-0300) Subject: Bluetooth: Check if SDU size is greater than MTU on L2CAP X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=36f2fd585f43199f006a3b5ff84e95815102cd31;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git Bluetooth: Check if SDU size is greater than MTU on L2CAP After reassembly the SDU we need to check his size. It can't overflow the MTU size. Signed-off-by: Gustavo F. Padovan Reviewed-by: João Paulo Rechi Vita Signed-off-by: Marcel Holtmann --- diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index ac00f5fac2d2..2e354d29f102 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -3277,15 +3277,19 @@ static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 co pi->conn_state &= ~L2CAP_CONN_SAR_SDU; pi->partial_sdu_len += skb->len; + if (pi->partial_sdu_len > pi->imtu) + goto drop; + if (pi->partial_sdu_len == pi->sdu_len) { _skb = skb_clone(pi->sdu, GFP_ATOMIC); err = sock_queue_rcv_skb(sk, _skb); if (err < 0) kfree_skb(_skb); } - kfree_skb(pi->sdu); err = 0; +drop: + kfree_skb(pi->sdu); break; }