Bluetooth: Prevent uninitialized data access in L2CAP configuration
When configuring an ERTM or streaming mode connection, remote devices are expected to send an RFC option in a successful config response. A misbehaving remote device might not send an RFC option, and the L2CAP code should not access uninitialized data in this case. Signed-off-by: Mat Martineau <mathewm@codeaurora.org> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
This commit is contained in:
parent
33cb722c22
commit
36e999a83a
1 changed files with 11 additions and 1 deletions
|
@ -2152,7 +2152,7 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi
|
|||
void *ptr = req->data;
|
||||
int type, olen;
|
||||
unsigned long val;
|
||||
struct l2cap_conf_rfc rfc;
|
||||
struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
|
||||
|
||||
BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
|
||||
|
||||
|
@ -2271,6 +2271,16 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
|
|||
}
|
||||
}
|
||||
|
||||
/* Use sane default values in case a misbehaving remote device
|
||||
* did not send an RFC option.
|
||||
*/
|
||||
rfc.mode = chan->mode;
|
||||
rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
|
||||
rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
|
||||
rfc.max_pdu_size = cpu_to_le16(chan->imtu);
|
||||
|
||||
BT_ERR("Expected RFC option was not found, using defaults");
|
||||
|
||||
done:
|
||||
switch (rfc.mode) {
|
||||
case L2CAP_MODE_ERTM:
|
||||
|
|
Loading…
Reference in a new issue