Commit 55cee73e authored by Luiz Augusto von Dentz's avatar Luiz Augusto von Dentz Committed by Marcel Holtmann
Browse files

Bluetooth: Make use of skb_pull to parse L2CAP signaling PDUs



This uses skb_pull when parsing signalling PDUs so skb->data for
pointing to the current PDU and skb->len as the remaining bytes to be
processed.

Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent debdedf2
Loading
Loading
Loading
Loading
+13 −16
Original line number Original line Diff line number Diff line
@@ -5835,9 +5835,7 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
				     struct sk_buff *skb)
				     struct sk_buff *skb)
{
{
	struct hci_conn *hcon = conn->hcon;
	struct hci_conn *hcon = conn->hcon;
	u8 *data = skb->data;
	struct l2cap_cmd_hdr *cmd;
	int len = skb->len;
	struct l2cap_cmd_hdr cmd;
	int err;
	int err;


	l2cap_raw_recv(conn, skb);
	l2cap_raw_recv(conn, skb);
@@ -5845,35 +5843,34 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
	if (hcon->type != ACL_LINK)
	if (hcon->type != ACL_LINK)
		goto drop;
		goto drop;


	while (len >= L2CAP_CMD_HDR_SIZE) {
	while (skb->len >= L2CAP_CMD_HDR_SIZE) {
		u16 cmd_len;
		u16 len;
		memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
		data += L2CAP_CMD_HDR_SIZE;
		len  -= L2CAP_CMD_HDR_SIZE;


		cmd_len = le16_to_cpu(cmd.len);
		cmd = (void *) skb->data;
		skb_pull(skb, L2CAP_CMD_HDR_SIZE);


		BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
		len = le16_to_cpu(cmd->len);
		       cmd.ident);

		BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len,
		       cmd->ident);


		if (cmd_len > len || !cmd.ident) {
		if (len > skb->len || !cmd->ident) {
			BT_DBG("corrupted command");
			BT_DBG("corrupted command");
			break;
			break;
		}
		}


		err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
		err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
		if (err) {
		if (err) {
			struct l2cap_cmd_rej_unk rej;
			struct l2cap_cmd_rej_unk rej;


			BT_ERR("Wrong link type (%d)", err);
			BT_ERR("Wrong link type (%d)", err);


			rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
			rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
			l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
			l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
				       sizeof(rej), &rej);
				       sizeof(rej), &rej);
		}
		}


		data += cmd_len;
		skb_pull(skb, len);
		len  -= cmd_len;
	}
	}


drop:
drop: