commit 51893f88dd916efead5e24a212c907b2cd35e160
author Nathan Holstein <nathan@lampreynetworks.com> Wed Jun 09 15:46:25 2010 -0400
committer Marcel Holtmann <marcel@holtmann.org> Wed Jul 21 10:39:05 2010 -0700
tree f28f257c32227f6a60f3fc347ba8b5d765db80c0
parent bfbacc11550a785caf082f3ccfcd7ecf882e09a4

Bluetooth: Fix bug with ERTM minimum packet length

ERTM and streaming mode L2CAP sockets have no minimum packet length. Only
basic mode connections have minimum length.

Instead, validate the packet containing all necessary control, FCS,
and SAR fields.

The patch fixes the drop of valid packets with length lower than 4.

Signed-off-by: Nathan Holstein <ngh@isomerica.net>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

net/bluetooth/l2cap.c

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index b897621..4af8fc0 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -4092,9 +4092,9 @@
 {
 	struct sock *sk;
 	struct l2cap_pinfo *pi;
-	u16 control, len;
+	u16 control;
 	u8 tx_seq, req_seq;
-	int next_tx_seq_offset, req_seq_offset;
+	int len, next_tx_seq_offset, req_seq_offset;
 
 	sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
 	if (!sk) {
@@ -4164,7 +4164,7 @@
 		}
 
 		if (__is_iframe(control)) {
-			if (len < 4) {
+			if (len < 0) {
 				l2cap_send_disconn_req(pi->conn, sk);
 				goto drop;
 			}
@@ -4192,7 +4192,7 @@
 		if (pi->fcs == L2CAP_FCS_CRC16)
 			len -= 2;
 
-		if (len > pi->mps || len < 4 || __is_sframe(control))
+		if (len > pi->mps || len < 0 || __is_sframe(control))
 			goto drop;
 
 		if (l2cap_check_fcs(pi, skb))