Bluetooth: Fix L2CAP control bit field corruption
When resending an I-frame, ERTM was reusing the control bits from the last time it was sent, that was causing a corruption in the new control field due to it dirty fields. This patches extracts only the SAR bits from the old field and reuse it to resend the packet, the others bits should be reset and receive the updated value. Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This commit is contained in:
parent
c13ffa620f
commit
95ffa97827
1 changed files with 4 additions and 0 deletions
|
@ -1430,6 +1430,8 @@ static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
|
|||
tx_skb = skb_clone(skb, GFP_ATOMIC);
|
||||
bt_cb(skb)->retries++;
|
||||
control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
|
||||
control &= L2CAP_CTRL_SAR;
|
||||
|
||||
control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
|
||||
| (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
|
||||
put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
|
||||
|
@ -1465,6 +1467,8 @@ static int l2cap_ertm_send(struct sock *sk)
|
|||
bt_cb(skb)->retries++;
|
||||
|
||||
control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
|
||||
control &= L2CAP_CTRL_SAR;
|
||||
|
||||
if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
|
||||
control |= L2CAP_CTRL_FINAL;
|
||||
pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
|
||||
|
|
Loading…
Reference in a new issue