CVS: The file 'linux/drivers/char/bluetooth/l2cap.c' has been modified.

[Mattias A. <mat...@us...>]

The following file was modified in linux/drivers/char/bluetooth:

Name            Old version     New version     Comment
----            -----------     -----------     -------
l2cap.c         1.107           1.108=20=20=20=20=20=20=20=20=20=20=20

The accompanying log:

* added sanity checks in l2cap_receive_data
* corrected flow option length in config req


The diff of the modified file(s):

--- l2cap.c	2001/04/26 13:33:26	1.107
+++ l2cap.c	2001/05/21 07:32:50	1.108
@@ -532,6 +532,25 @@
 		pkt_len =3D le16_to_cpu(pkt->len);
 		pkt_cid =3D le16_to_cpu(pkt->cid);
=20
+		/* Do some sanity checks */
+		if (pkt_len > HCI_IN_SIZE)
+                {
+                  /* Packet won't fit in inbuffers */
+                  D_ERR(__FUNCTION__": packet too big [%d], discard packet=
\n",=20
+                        pkt_len);
+                  hci_clear_buffer(hci_handle);
+                  return;
+                }
+
+		if ((pkt_cid !=3D 1) && (pkt_cid !=3D 2) &&
+                    ((pkt_cid < 0x0040) || (pkt_cid > 0xffff)))
+                {
+                  D_ERR(__FUNCTION__": invalid CID [%d], discard packet\n"=
,=20
+                        pkt_cid);
+                  hci_clear_buffer(hci_handle);
+                  return;
+                }
+
 		/* l2cap_len is checked in hci, when l2cap_len bytes=20
 		   has been received in hci this function is called again */
 		*l2cap_len =3D pkt_len + L2CAP_HDRSIZE;
@@ -2117,7 +2136,7 @@
=20=09
 	if (outflow !=3D NULL) {
 		/* We inform peer about our QOS settings */
-		opt_len +=3D sizeof *outflow;
+		opt_len +=3D sizeof *outflow + 2; /* include type/len */
 	}
=20=09
 	payload_len =3D SIGCMD_HDRSIZE + CONF_REQSIZE + opt_len;=20=20
@@ -2680,15 +2699,15 @@
 {
 	l2cap_tx_buf *l2cap_buf;
=20
-	D_XMIT(__FUNCTION__ ": hdl : %d, rcid : %d, len:%d \n",
-	       con->hci_hdl, con->remote_cid, tx->cur_len);
-
 	if (PARANOIA_CHECKCON(con)) {
 		D_ERR(__FUNCTION__ ": Paranoia check failed\n");
 		tx->flushed =3D 1; /* flush this buffer */
 		return -EINVAL;
 	}
=20
+	D_XMIT(__FUNCTION__ ": hdl : %d, rcid : %d, len:%d \n",
+	       con->hci_hdl, con->remote_cid, tx->cur_len);
+
 	if (tx->cur_len > con->remote_mtu) {
 		D_ERR("%s tries to send more than remote mtu, ignore\n",=20
 		      psm2str(con->psm));
@@ -2803,8 +2822,6 @@
 void
 l2ca_disconnect_cfm(l2cap_con *con)
 {
-	s32 tmp_hdl;
-
 	D_STATE(__FUNCTION__ ": remote cid : %d\n", con->remote_cid);
=20
 	/* tell upper layers that connection is down */