From: Andre Guedes Date: Thu, 31 May 2012 20:01:34 +0000 (-0300) Subject: Bluetooth: Check MTU value in l2cap_sock_setsockopt_old X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=682877c31fc1b6510b694b6b8e78d8dde53a47cc;p=openwrt%2Fstaging%2Fblogic.git Bluetooth: Check MTU value in l2cap_sock_setsockopt_old If user tries to set an invalid MTU value, l2cap_sock_setsockopt_old should return -EINVAL. Signed-off-by: Andre Guedes Signed-off-by: Gustavo Padovan --- diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index d856cc8f22a3..ab5868d94307 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -445,6 +445,22 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch return err; } +static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu) +{ + switch (chan->scid) { + case L2CAP_CID_LE_DATA: + if (mtu < L2CAP_LE_DEFAULT_MTU) + return false; + break; + + default: + if (mtu < L2CAP_DEFAULT_MIN_MTU) + return false; + } + + return true; +} + static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen) { struct sock *sk = sock->sk; @@ -483,6 +499,11 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us break; } + if (!l2cap_valid_mtu(chan, opts.imtu)) { + err = -EINVAL; + break; + } + chan->mode = opts.mode; switch (chan->mode) { case L2CAP_MODE_BASIC: