git://ftp.safe.ca / safe / jmp / linux-2.6 / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Bluetooth: Check the SDU size against the MTU value
[safe/jmp/linux-2.6] / net / bluetooth / l2cap.c
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 0889949..e936913 100644 (file)
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -3338,6 +3338,11 @@ static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 co
                pi->sdu_len = get_unaligned_le16(skb->data);
                skb_pull(skb, 2);
 
+               if (pi->sdu_len > pi->imtu) {
+                       err = -EMSGSIZE;
+                       break;
+               }
+
                pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
                if (!pi->sdu) {
                        err = -ENOMEM;
Full containers within linux kernel