From f971e1c557d109d282dd9ff55a814f8d3add0454 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?= <jprvita@profusion.mobi>
Date: Sat, 1 May 2010 16:15:43 -0300
Subject: [PATCH] --- yaml --- r: 194857 b: refs/heads/master c:
 01760bdde9a92413b7fff928d08e19352bf09d82 h: refs/heads/master i:   194855:
 f78eef5957086ae4613fbcb94ddbed899136bbe4 v: v3

---
 [refs]                      |  2 +-
 trunk/net/bluetooth/l2cap.c | 18 +++++++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/[refs] b/[refs]
index f7c66e790f42..d58e2a068cad 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: afefdbc4cf3b9d409d07e1e5264e7ff88bc48711
+refs/heads/master: 01760bdde9a92413b7fff928d08e19352bf09d82
diff --git a/trunk/net/bluetooth/l2cap.c b/trunk/net/bluetooth/l2cap.c
index 478def700c7c..31514d8faa66 100644
--- a/trunk/net/bluetooth/l2cap.c
+++ b/trunk/net/bluetooth/l2cap.c
@@ -3772,7 +3772,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
 	struct sock *sk;
 	struct l2cap_pinfo *pi;
 	u16 control, len;
-	u8 tx_seq;
+	u8 tx_seq, req_seq, next_tx_seq_offset, req_seq_offset;
 
 	sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
 	if (!sk) {
@@ -3823,6 +3823,22 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
 		if (l2cap_check_fcs(pi, skb))
 			goto drop;
 
+		req_seq = __get_reqseq(control);
+		req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
+		if (req_seq_offset < 0)
+			req_seq_offset += 64;
+
+		next_tx_seq_offset =
+			(pi->next_tx_seq - pi->expected_ack_seq) % 64;
+		if (next_tx_seq_offset < 0)
+			next_tx_seq_offset += 64;
+
+		/* check for invalid req-seq */
+		if (req_seq_offset > next_tx_seq_offset) {
+			l2cap_send_disconn_req(pi->conn, sk);
+			goto drop;
+		}
+
 		if (__is_iframe(control)) {
 			if (len < 4)
 				goto drop;