Skip to content

Commit

Permalink
Bluetooth: Prevents buffer overflow on l2cap_ertm_reassembly_sdu()
Browse files Browse the repository at this point in the history 
The checks should be done before the the memcpy to avoid buffer
overflow.

Reported-by: João Paulo Rechi Vita <jprvita@profusion.mobi>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
  • Loading branch information
Gustavo F. Padovan authored and Marcel Holtmann committed May 10, 2010
1 parent dfc909b commit 4178ba4
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions net/bluetooth/l2cap.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3470,12 +3470,12 @@ static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 c
if (!pi->sdu)
goto disconnect;

memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);

pi->partial_sdu_len += skb->len;
if (pi->partial_sdu_len > pi->sdu_len)
goto drop;

memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);

break;

case L2CAP_SDU_END:
Expand All @@ -3486,15 +3486,15 @@ static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 c
goto disconnect;

if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) {
memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);

pi->partial_sdu_len += skb->len;

if (pi->partial_sdu_len > pi->imtu)
goto drop;

if (pi->partial_sdu_len != pi->sdu_len)
goto drop;

memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
}

_skb = skb_clone(pi->sdu, GFP_ATOMIC);
Expand Down

0 comments on commit 4178ba4

Please sign in to comment.