Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8bf17a36 authored by Marcel Holtmann's avatar Marcel Holtmann Committed by Johan Hedberg
Browse files

Bluetooth: Restrict CMTP flags to only valid ones 



The CMTP flags should be clearly restricted to valid ones. So this puts
extra checks in place to ensure this.

Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
parent 41533fe5

net/bluetooth/cmtp/core.c

+10 −1
Original line number Diff line number Diff line
@@ -75,10 +75,11 @@ static void __cmtp_unlink_session(struct cmtp_session *session) 


static void __cmtp_copy_session(struct cmtp_session *session, struct cmtp_conninfo *ci)

{

	u32 valid_flags = BIT(CMTP_LOOPBACK);

	memset(ci, 0, sizeof(*ci));

	bacpy(&ci->bdaddr, &session->bdaddr);



	ci->flags = session->flags;

	ci->flags = session->flags & valid_flags;

	ci->state = session->state;



	ci->num = session->num;
@@ -329,6 +330,7 @@ static int cmtp_session(void *arg) 


int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)

{

	u32 valid_flags = BIT(CMTP_LOOPBACK);

	struct cmtp_session *session, *s;

	int i, err;
@@ -337,6 +339,9 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock) 
	if (!l2cap_is_socket(sock))

		return -EBADFD;



	if (req->flags & ~valid_flags)

		return -EINVAL;



	session = kzalloc(sizeof(struct cmtp_session), GFP_KERNEL);

	if (!session)

		return -ENOMEM;
@@ -409,11 +414,15 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock) 


int cmtp_del_connection(struct cmtp_conndel_req *req)

{

	u32 valid_flags = 0;

	struct cmtp_session *session;

	int err = 0;



	BT_DBG("");



	if (req->flags & ~valid_flags)

		return -EINVAL;



	down_read(&cmtp_session_sem);



	session = __cmtp_get_session(&req->bdaddr);