Bluetooth: Fix bug with ERTM minimum packet length

ERTM and streaming mode L2CAP sockets have no minimum packet length. Only basic mode connections have minimum length. Instead, validate the packet containing all necessary control, FCS, and SAR fields. The patch fixes the drop of valid packets with length lower than 4. Signed-off-by: Nathan Holstein <ngh@isomerica.net> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
git-mirror · Jul 21, 2010 · 51893f8 · 51893f8
1 parent bfbacc1
commit 51893f8
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
@@ -4092,9 +4092,9 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
 {
 	struct sock *sk;
 	struct l2cap_pinfo *pi;
-	u16 control, len;
+	u16 control;
 	u8 tx_seq, req_seq;
-	int next_tx_seq_offset, req_seq_offset;
+	int len, next_tx_seq_offset, req_seq_offset;
 
 	sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
 	if (!sk) {
@@ -4164,7 +4164,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
 		}
 
 		if (__is_iframe(control)) {
-			if (len < 4) {
+			if (len < 0) {
 				l2cap_send_disconn_req(pi->conn, sk);
 				goto drop;
 			}
@@ -4192,7 +4192,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
 		if (pi->fcs == L2CAP_FCS_CRC16)
 			len -= 2;
 
-		if (len > pi->mps || len < 4 || __is_sframe(control))
+		if (len > pi->mps || len < 0 || __is_sframe(control))
 			goto drop;
 
 		if (l2cap_check_fcs(pi, skb))