From fbeff95230583a95cc3ce8e814b45967d1bb72e0 Mon Sep 17 00:00:00 2001 From: Anderson Lizardo Date: Sun, 2 Jun 2013 16:30:40 -0400 Subject: [PATCH] --- yaml --- r: 377393 b: refs/heads/master c: 300b962e5244a1ea010df7e88595faa0085b461d h: refs/heads/master i: 377391: 074095e5988a0ba9557ec5e67af79b53a2824922 v: v3 --- [refs] | 2 +- trunk/net/bluetooth/l2cap_core.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/[refs] b/[refs] index cc844097f90b..bb9dda436982 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: d90b9e29ec5fe7a08eb7965386ebb47615306584 +refs/heads/master: 300b962e5244a1ea010df7e88595faa0085b461d diff --git a/trunk/net/bluetooth/l2cap_core.c b/trunk/net/bluetooth/l2cap_core.c index 24bee07ee4ce..4be6a264b475 100644 --- a/trunk/net/bluetooth/l2cap_core.c +++ b/trunk/net/bluetooth/l2cap_core.c @@ -2852,6 +2852,9 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code, BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u", conn, code, ident, dlen); + if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE) + return NULL; + len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen; count = min_t(unsigned int, conn->mtu, len);