iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bluetooth: Fix wrong set of skb fragments

Browse Source 
If alloc() fails we let the frags linked list with garbage value (the
err ptr value) in its last element.

Reported-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Gustavo Padovan <gustavo@padovan.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
This commit is contained in:
Gustavo Padovan 2012-05-15 13:22:55 -03:00 committed by Gustavo Padovan
parent 08e6d907fe
commit fbe0070092
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
net/bluetooth/l2cap_core.c
View File

@ -1836,13 +1836,17 @@ static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
/* Continuation fragments (no L2CAP header) */ /* Continuation fragments (no L2CAP header) */
frag = &skb_shinfo(skb)->frag_list; frag = &skb_shinfo(skb)->frag_list;
while (len) { while (len) {
struct sk_buff *tmp;
count = min_t(unsigned int, conn->mtu, len); count = min_t(unsigned int, conn->mtu, len);
*frag = chan->ops->alloc_skb(chan, count, tmp = chan->ops->alloc_skb(chan, count,
msg->msg_flags & MSG_DONTWAIT); msg->msg_flags & MSG_DONTWAIT);
if (IS_ERR(tmp))
return PTR_ERR(tmp);
*frag = tmp;
if (IS_ERR(*frag))
return PTR_ERR(*frag);
if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
return -EFAULT; return -EFAULT;