CVS: The file 'linux/drivers/char/bluetooth/bluetooth.c' has been modified.

[Gordon M. <gm...@us...>]

The following file was modified in linux/drivers/char/bluetooth:

Name            Old version     New version     Comment
----            -----------     -----------     -------
bluetooth.c     1.159           1.160=20=20=20=20=20=20=20=20=20=20=20

The accompanying log:

--Fixed a bug where bt_write_top could write past the end of an allocated b=
uffer.


The diff of the modified file(s):

--- bluetooth.c	2001/03/31 15:51:26	1.159
+++ bluetooth.c	2001/04/01 15:50:12	1.160
@@ -1373,6 +1373,11 @@
 	rfcomm_conid =3D CREATE_RFCOMM_ID(line, bt->dlci);
=20=09
 	if (from_user) {
+		/* Our tmp_bt_buf is only one page, but nothing prevents the
+		 * caller from giving us more than that to send. Make sure we
+		 * don't try to write beyond the end of tmp_bt_buf.
+		 */
+		count =3D MIN(count, PAGE_SIZE);
 		copy_from_user(tmp_bt_buf, buf, count);
 		bytes_sent =3D rfcomm_send_data(rfcomm_conid, tmp_bt_buf, count);
 	} else {