Merge tag 'v3.10.55' into update

[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 24bee07ee4ce1a54a86f5d5bd535b13bd1e42c02..c11a28bae844fc80e91ad61e21ff4d64737945d2 100644 (file)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1793,10 +1793,10 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
        auth_type = l2cap_get_auth_type(chan);
 
        if (chan->dcid == L2CAP_CID_LE_DATA)
-               hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
+               hcon = hci_connect(hdev, LE_LINK, 0, dst, dst_type,
                                   chan->sec_level, auth_type);
        else
-               hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
+               hcon = hci_connect(hdev, ACL_LINK, 0, dst, dst_type,
                                   chan->sec_level, auth_type);
 
        if (IS_ERR(hcon)) {
@@ -2852,6 +2852,9 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
        BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
               conn, code, ident, dlen);
 
+       if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
+               return NULL;
+
        len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
        count = min_t(unsigned int, conn->mtu, len);
 
@@ -4330,7 +4333,7 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn,
        struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
        u16 type, result;
 
-       if (cmd_len != sizeof(*rsp))
+       if (cmd_len < sizeof(*rsp))
                return -EPROTO;
 
        type   = __le16_to_cpu(rsp->type);