Tree - kernel/kernel-source - Pagure for openSUSE

kernel / kernel-source

Source
Stats

Blame patches.kernel.org/4.12.13-017-Bluetooth-Properly-check-L2CAP-config-option-.patch

Blob History Raw

Jiri Slaby	5f5d62	`From: Ben Seri <ben@armis.com>`
Jiri Slaby	5f5d62	`Date: Sat, 9 Sep 2017 23:15:59 +0200`
Jiri Slaby	5f5d62	`Subject: [PATCH] Bluetooth: Properly check L2CAP config option output buffer`
Jiri Slaby	5f5d62	`length`
Jiri Slaby	5f5d62	`References: bnc#1060662 bnc#1057389 CVE-2017-1000251`
Thomas Zimmermann	1d81d2	`Patch-mainline: v4.12.13`
Jiri Slaby	5f5d62	`Git-commit: e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`commit e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream.`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`Validate the output buffer length for L2CAP config requests and responses`
Jiri Slaby	5f5d62	`to avoid overflowing the stack buffer used for building the option blocks.`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`Signed-off-by: Ben Seri <ben@armis.com>`
Jiri Slaby	5f5d62	`Signed-off-by: Marcel Holtmann <marcel@holtmann.org>`
Jiri Slaby	5f5d62	`Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>`
Jiri Slaby	5f5d62	`Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>`
Jiri Slaby	5f5d62	`Signed-off-by: Jiri Slaby <jslaby@suse.cz>`
Jiri Slaby	5f5d62	`---`
Jiri Slaby	5f5d62	`net/bluetooth/l2cap_core.c \| 80 +++++++++++++++++++++++++---------------------`
Jiri Slaby	5f5d62	`1 file changed, 43 insertions(+), 37 deletions(-)`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c`
Jiri Slaby	5f5d62	`index f88ac99528ce..6754e93d2096 100644`
Jiri Slaby	5f5d62	`--- a/net/bluetooth/l2cap_core.c`
Jiri Slaby	5f5d62	`+++ b/net/bluetooth/l2cap_core.c`
Jiri Slaby	5f5d62	`@@ -58,7 +58,7 @@ static struct sk_buff l2cap_build_cmd(struct l2cap_conn conn,`
Jiri Slaby	5f5d62	`u8 code, u8 ident, u16 dlen, void *data);`
Jiri Slaby	5f5d62	`static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,`
Jiri Slaby	5f5d62	`void *data);`
Jiri Slaby	5f5d62	`-static int l2cap_build_conf_req(struct l2cap_chan chan, void data);`
Jiri Slaby	5f5d62	`+static int l2cap_build_conf_req(struct l2cap_chan chan, void data, size_t data_size);`
Jiri Slaby	5f5d62	`static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`static void l2cap_tx(struct l2cap_chan chan, struct l2cap_ctrl control,`
Jiri Slaby	5f5d62	`@@ -1473,7 +1473,7 @@ static void l2cap_conn_start(struct l2cap_conn *conn)`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`set_bit(CONF_REQ_SENT, &chan->conf_state);`
Jiri Slaby	5f5d62	`l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,`
Jiri Slaby	5f5d62	`- l2cap_build_conf_req(chan, buf), buf);`
Jiri Slaby	5f5d62	`+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);`
Jiri Slaby	5f5d62	`chan->num_conf_req++;`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`@@ -2987,12 +2987,15 @@ static inline int l2cap_get_conf_opt(void *ptr, int type, int *olen,`
Jiri Slaby	5f5d62	`return len;`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`-static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)`
Jiri Slaby	5f5d62	`+static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)`
Jiri Slaby	5f5d62	`{`
Jiri Slaby	5f5d62	`struct l2cap_conf_opt opt = ptr;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`+ if (size < L2CAP_CONF_OPT_SIZE + len)`
Jiri Slaby	5f5d62	`+ return;`
Jiri Slaby	5f5d62	`+`
Jiri Slaby	5f5d62	`opt->type = type;`
Jiri Slaby	5f5d62	`opt->len = len;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`@@ -3017,7 +3020,7 @@ static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)`
Jiri Slaby	5f5d62	`*ptr += L2CAP_CONF_OPT_SIZE + len;`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`-static void l2cap_add_opt_efs(void *ptr, struct l2cap_chan chan)`
Jiri Slaby	5f5d62	`+static void l2cap_add_opt_efs(void *ptr, struct l2cap_chan chan, size_t size)`
Jiri Slaby	5f5d62	`{`
Jiri Slaby	5f5d62	`struct l2cap_conf_efs efs;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`@@ -3045,7 +3048,7 @@ static void l2cap_add_opt_efs(void *ptr, struct l2cap_chan chan)`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),`
Jiri Slaby	5f5d62	`- (unsigned long) &efs;;`
Jiri Slaby	5f5d62	`+ (unsigned long) &efs, size);`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`static void l2cap_ack_timeout(struct work_struct *work)`
Jiri Slaby	5f5d62	`@@ -3191,11 +3194,12 @@ static inline void l2cap_txwin_setup(struct l2cap_chan *chan)`
Jiri Slaby	5f5d62	`chan->ack_win = chan->tx_win;`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`-static int l2cap_build_conf_req(struct l2cap_chan chan, void data)`
Jiri Slaby	5f5d62	`+static int l2cap_build_conf_req(struct l2cap_chan chan, void data, size_t data_size)`
Jiri Slaby	5f5d62	`{`
Jiri Slaby	5f5d62	`struct l2cap_conf_req *req = data;`
Jiri Slaby	5f5d62	`struct l2cap_conf_rfc rfc = { .mode = chan->mode };`
Jiri Slaby	5f5d62	`void *ptr = req->data;`
Jiri Slaby	5f5d62	`+ void *endptr = data + data_size;`
Jiri Slaby	5f5d62	`u16 size;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`BT_DBG("chan %p", chan);`
Jiri Slaby	5f5d62	`@@ -3220,7 +3224,7 @@ static int l2cap_build_conf_req(struct l2cap_chan chan, void data)`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`done:`
Jiri Slaby	5f5d62	`if (chan->imtu != L2CAP_DEFAULT_MTU)`
Jiri Slaby	5f5d62	`- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);`
Jiri Slaby	5f5d62	`+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`switch (chan->mode) {`
Jiri Slaby	5f5d62	`case L2CAP_MODE_BASIC:`
Jiri Slaby	5f5d62	`@@ -3239,7 +3243,7 @@ static int l2cap_build_conf_req(struct l2cap_chan chan, void data)`
Jiri Slaby	5f5d62	`rfc.max_pdu_size = 0;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),`
Jiri Slaby	5f5d62	`- (unsigned long) &rfc;;`
Jiri Slaby	5f5d62	`+ (unsigned long) &rfc, endptr - ptr);`
Jiri Slaby	5f5d62	`break;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`case L2CAP_MODE_ERTM:`
Jiri Slaby	5f5d62	`@@ -3259,21 +3263,21 @@ static int l2cap_build_conf_req(struct l2cap_chan chan, void data)`
Jiri Slaby	5f5d62	`L2CAP_DEFAULT_TX_WINDOW);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),`
Jiri Slaby	5f5d62	`- (unsigned long) &rfc;;`
Jiri Slaby	5f5d62	`+ (unsigned long) &rfc, endptr - ptr);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`if (test_bit(FLAG_EFS_ENABLE, &chan->flags))`
Jiri Slaby	5f5d62	`- l2cap_add_opt_efs(&ptr, chan);`
Jiri Slaby	5f5d62	`+ l2cap_add_opt_efs(&ptr, chan, endptr - ptr);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`if (test_bit(FLAG_EXT_CTRL, &chan->flags))`
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,`
Jiri Slaby	5f5d62	`- chan->tx_win);`
Jiri Slaby	5f5d62	`+ chan->tx_win, endptr - ptr);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`if (chan->conn->feat_mask & L2CAP_FEAT_FCS)`
Jiri Slaby	5f5d62	`if (chan->fcs == L2CAP_FCS_NONE \|\|`
Jiri Slaby	5f5d62	`test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {`
Jiri Slaby	5f5d62	`chan->fcs = L2CAP_FCS_NONE;`
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,`
Jiri Slaby	5f5d62	`- chan->fcs);`
Jiri Slaby	5f5d62	`+ chan->fcs, endptr - ptr);`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62	`break;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`@@ -3291,17 +3295,17 @@ static int l2cap_build_conf_req(struct l2cap_chan chan, void data)`
Jiri Slaby	5f5d62	`rfc.max_pdu_size = cpu_to_le16(size);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),`
Jiri Slaby	5f5d62	`- (unsigned long) &rfc;;`
Jiri Slaby	5f5d62	`+ (unsigned long) &rfc, endptr - ptr);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`if (test_bit(FLAG_EFS_ENABLE, &chan->flags))`
Jiri Slaby	5f5d62	`- l2cap_add_opt_efs(&ptr, chan);`
Jiri Slaby	5f5d62	`+ l2cap_add_opt_efs(&ptr, chan, endptr - ptr);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`if (chan->conn->feat_mask & L2CAP_FEAT_FCS)`
Jiri Slaby	5f5d62	`if (chan->fcs == L2CAP_FCS_NONE \|\|`
Jiri Slaby	5f5d62	`test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {`
Jiri Slaby	5f5d62	`chan->fcs = L2CAP_FCS_NONE;`
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,`
Jiri Slaby	5f5d62	`- chan->fcs);`
Jiri Slaby	5f5d62	`+ chan->fcs, endptr - ptr);`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62	`break;`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62	`@@ -3312,10 +3316,11 @@ static int l2cap_build_conf_req(struct l2cap_chan chan, void data)`
Jiri Slaby	5f5d62	`return ptr - data;`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`-static int l2cap_parse_conf_req(struct l2cap_chan chan, void data)`
Jiri Slaby	5f5d62	`+static int l2cap_parse_conf_req(struct l2cap_chan chan, void data, size_t data_size)`
Jiri Slaby	5f5d62	`{`
Jiri Slaby	5f5d62	`struct l2cap_conf_rsp *rsp = data;`
Jiri Slaby	5f5d62	`void *ptr = rsp->data;`
Jiri Slaby	5f5d62	`+ void *endptr = data + data_size;`
Jiri Slaby	5f5d62	`void *req = chan->conf_req;`
Jiri Slaby	5f5d62	`int len = chan->conf_len;`
Jiri Slaby	5f5d62	`int type, hint, olen;`
Jiri Slaby	5f5d62	`@@ -3417,7 +3422,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan chan, void data)`
Jiri Slaby	5f5d62	`return -ECONNREFUSED;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),`
Jiri Slaby	5f5d62	`- (unsigned long) &rfc;;`
Jiri Slaby	5f5d62	`+ (unsigned long) &rfc, endptr - ptr);`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`if (result == L2CAP_CONF_SUCCESS) {`
Jiri Slaby	5f5d62	`@@ -3430,7 +3435,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan chan, void data)`
Jiri Slaby	5f5d62	`chan->omtu = mtu;`
Jiri Slaby	5f5d62	`set_bit(CONF_MTU_DONE, &chan->conf_state);`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62	`- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);`
Jiri Slaby	5f5d62	`+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`if (remote_efs) {`
Jiri Slaby	5f5d62	`if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&`
Jiri Slaby	5f5d62	`@@ -3444,7 +3449,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan chan, void data)`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,`
Jiri Slaby	5f5d62	`sizeof(efs),`
Jiri Slaby	5f5d62	`- (unsigned long) &efs;;`
Jiri Slaby	5f5d62	`+ (unsigned long) &efs, endptr - ptr);`
Jiri Slaby	5f5d62	`} else {`
Jiri Slaby	5f5d62	`/* Send PENDING Conf Rsp */`
Jiri Slaby	5f5d62	`result = L2CAP_CONF_PENDING;`
Jiri Slaby	5f5d62	`@@ -3477,7 +3482,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan chan, void data)`
Jiri Slaby	5f5d62	`set_bit(CONF_MODE_DONE, &chan->conf_state);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,`
Jiri Slaby	5f5d62	`- sizeof(rfc), (unsigned long) &rfc;;`
Jiri Slaby	5f5d62	`+ sizeof(rfc), (unsigned long) &rfc, endptr - ptr);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {`
Jiri Slaby	5f5d62	`chan->remote_id = efs.id;`
Jiri Slaby	5f5d62	`@@ -3491,7 +3496,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan chan, void data)`
Jiri Slaby	5f5d62	`le32_to_cpu(efs.sdu_itime);`
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,`
Jiri Slaby	5f5d62	`sizeof(efs),`
Jiri Slaby	5f5d62	`- (unsigned long) &efs;;`
Jiri Slaby	5f5d62	`+ (unsigned long) &efs, endptr - ptr);`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62	`break;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`@@ -3505,7 +3510,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan chan, void data)`
Jiri Slaby	5f5d62	`set_bit(CONF_MODE_DONE, &chan->conf_state);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),`
Jiri Slaby	5f5d62	`- (unsigned long) &rfc;;`
Jiri Slaby	5f5d62	`+ (unsigned long) &rfc, endptr - ptr);`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`break;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`@@ -3527,10 +3532,11 @@ static int l2cap_parse_conf_req(struct l2cap_chan chan, void data)`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`static int l2cap_parse_conf_rsp(struct l2cap_chan chan, void rsp, int len,`
Jiri Slaby	5f5d62	`- void data, u16 result)`
Jiri Slaby	5f5d62	`+ void data, size_t size, u16 result)`
Jiri Slaby	5f5d62	`{`
Jiri Slaby	5f5d62	`struct l2cap_conf_req *req = data;`
Jiri Slaby	5f5d62	`void *ptr = req->data;`
Jiri Slaby	5f5d62	`+ void *endptr = data + size;`
Jiri Slaby	5f5d62	`int type, olen;`
Jiri Slaby	5f5d62	`unsigned long val;`
Jiri Slaby	5f5d62	`struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };`
Jiri Slaby	5f5d62	`@@ -3548,13 +3554,13 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan chan, void rsp, int len,`
Jiri Slaby	5f5d62	`chan->imtu = L2CAP_DEFAULT_MIN_MTU;`
Jiri Slaby	5f5d62	`} else`
Jiri Slaby	5f5d62	`chan->imtu = val;`
Jiri Slaby	5f5d62	`- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);`
Jiri Slaby	5f5d62	`+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);`
Jiri Slaby	5f5d62	`break;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`case L2CAP_CONF_FLUSH_TO:`
Jiri Slaby	5f5d62	`chan->flush_to = val;`
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,`
Jiri Slaby	5f5d62	`- 2, chan->flush_to);`
Jiri Slaby	5f5d62	`+ 2, chan->flush_to, endptr - ptr);`
Jiri Slaby	5f5d62	`break;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`case L2CAP_CONF_RFC:`
Jiri Slaby	5f5d62	`@@ -3568,13 +3574,13 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan chan, void rsp, int len,`
Jiri Slaby	5f5d62	`chan->fcs = 0;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,`
Jiri Slaby	5f5d62	`- sizeof(rfc), (unsigned long) &rfc;;`
Jiri Slaby	5f5d62	`+ sizeof(rfc), (unsigned long) &rfc, endptr - ptr);`
Jiri Slaby	5f5d62	`break;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`case L2CAP_CONF_EWS:`
Jiri Slaby	5f5d62	`chan->ack_win = min_t(u16, val, chan->ack_win);`
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,`
Jiri Slaby	5f5d62	`- chan->tx_win);`
Jiri Slaby	5f5d62	`+ chan->tx_win, endptr - ptr);`
Jiri Slaby	5f5d62	`break;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`case L2CAP_CONF_EFS:`
Jiri Slaby	5f5d62	`@@ -3587,7 +3593,7 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan chan, void rsp, int len,`
Jiri Slaby	5f5d62	`return -ECONNREFUSED;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),`
Jiri Slaby	5f5d62	`- (unsigned long) &efs;;`
Jiri Slaby	5f5d62	`+ (unsigned long) &efs, endptr - ptr);`
Jiri Slaby	5f5d62	`break;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`case L2CAP_CONF_FCS:`
Jiri Slaby	5f5d62	`@@ -3692,7 +3698,7 @@ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)`
Jiri Slaby	5f5d62	`return;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,`
Jiri Slaby	5f5d62	`- l2cap_build_conf_req(chan, buf), buf);`
Jiri Slaby	5f5d62	`+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);`
Jiri Slaby	5f5d62	`chan->num_conf_req++;`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`@@ -3900,7 +3906,7 @@ static struct l2cap_chan l2cap_connect(struct l2cap_conn conn,`
Jiri Slaby	5f5d62	`u8 buf[128];`
Jiri Slaby	5f5d62	`set_bit(CONF_REQ_SENT, &chan->conf_state);`
Jiri Slaby	5f5d62	`l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,`
Jiri Slaby	5f5d62	`- l2cap_build_conf_req(chan, buf), buf);`
Jiri Slaby	5f5d62	`+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);`
Jiri Slaby	5f5d62	`chan->num_conf_req++;`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`@@ -3978,7 +3984,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,`
Jiri Slaby	5f5d62	`break;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,`
Jiri Slaby	5f5d62	`- l2cap_build_conf_req(chan, req), req);`
Jiri Slaby	5f5d62	`+ l2cap_build_conf_req(chan, req, sizeof(req)), req);`
Jiri Slaby	5f5d62	`chan->num_conf_req++;`
Jiri Slaby	5f5d62	`break;`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`@@ -4090,7 +4096,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`/* Complete config. */`
Jiri Slaby	5f5d62	`- len = l2cap_parse_conf_req(chan, rsp);`
Jiri Slaby	5f5d62	`+ len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));`
Jiri Slaby	5f5d62	`if (len < 0) {`
Jiri Slaby	5f5d62	`l2cap_send_disconn_req(chan, ECONNRESET);`
Jiri Slaby	5f5d62	`goto unlock;`
Jiri Slaby	5f5d62	`@@ -4124,7 +4130,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,`
Jiri Slaby	5f5d62	`if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {`
Jiri Slaby	5f5d62	`u8 buf[64];`
Jiri Slaby	5f5d62	`l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,`
Jiri Slaby	5f5d62	`- l2cap_build_conf_req(chan, buf), buf);`
Jiri Slaby	5f5d62	`+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);`
Jiri Slaby	5f5d62	`chan->num_conf_req++;`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`@@ -4184,7 +4190,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn,`
Jiri Slaby	5f5d62	`char buf[64];`
Jiri Slaby	5f5d62
Jiri Slaby	5f5d62	`len = l2cap_parse_conf_rsp(chan, rsp->data, len,`
Jiri Slaby	5f5d62	`- buf, &result);`
Jiri Slaby	5f5d62	`+ buf, sizeof(buf), &result);`
Jiri Slaby	5f5d62	`if (len < 0) {`
Jiri Slaby	5f5d62	`l2cap_send_disconn_req(chan, ECONNRESET);`
Jiri Slaby	5f5d62	`goto done;`
Jiri Slaby	5f5d62	`@@ -4214,7 +4220,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn,`
Jiri Slaby	5f5d62	`/* throw out any old stored conf requests */`
Jiri Slaby	5f5d62	`result = L2CAP_CONF_SUCCESS;`
Jiri Slaby	5f5d62	`len = l2cap_parse_conf_rsp(chan, rsp->data, len,`
Jiri Slaby	5f5d62	`- req, &result);`
Jiri Slaby	5f5d62	`+ req, sizeof(req), &result);`
Jiri Slaby	5f5d62	`if (len < 0) {`
Jiri Slaby	5f5d62	`l2cap_send_disconn_req(chan, ECONNRESET);`
Jiri Slaby	5f5d62	`goto done;`
Jiri Slaby	5f5d62	`@@ -4791,7 +4797,7 @@ static void l2cap_do_create(struct l2cap_chan *chan, int result,`
Jiri Slaby	5f5d62	`set_bit(CONF_REQ_SENT, &chan->conf_state);`
Jiri Slaby	5f5d62	`l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),`
Jiri Slaby	5f5d62	`L2CAP_CONF_REQ,`
Jiri Slaby	5f5d62	`- l2cap_build_conf_req(chan, buf), buf);`
Jiri Slaby	5f5d62	`+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);`
Jiri Slaby	5f5d62	`chan->num_conf_req++;`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62	`@@ -7465,7 +7471,7 @@ static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)`
Jiri Slaby	5f5d62	`set_bit(CONF_REQ_SENT, &chan->conf_state);`
Jiri Slaby	5f5d62	`l2cap_send_cmd(conn, l2cap_get_ident(conn),`
Jiri Slaby	5f5d62	`L2CAP_CONF_REQ,`
Jiri Slaby	5f5d62	`- l2cap_build_conf_req(chan, buf),`
Jiri Slaby	5f5d62	`+ l2cap_build_conf_req(chan, buf, sizeof(buf)),`
Jiri Slaby	5f5d62	`buf);`
Jiri Slaby	5f5d62	`chan->num_conf_req++;`
Jiri Slaby	5f5d62	`}`
Jiri Slaby	5f5d62	`--`
Jiri Slaby	5f5d62	`2.14.2`
Jiri Slaby	5f5d62

kernel / kernel-source

Source Code

Blame patches.kernel.org/4.12.13-017-Bluetooth-Properly-check-L2CAP-config-option-.patch