Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fbe00700 authored by Gustavo Padovan's avatar Gustavo Padovan Committed by Gustavo Padovan
Browse files

Bluetooth: Fix wrong set of skb fragments 



If alloc() fails we let the frags linked list with garbage value (the
err ptr value) in its last element.

Reported-by: default avatarMat Martineau <mathewm@codeaurora.org>
Signed-off-by: default avatarGustavo Padovan <gustavo@padovan.org>
Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
parent 08e6d907

net/bluetooth/l2cap_core.c

+8 −4
Original line number Original line Diff line number Diff line
@@ -1836,13 +1836,17 @@ static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan, 
	/* Continuation fragments (no L2CAP header) */

	/* Continuation fragments (no L2CAP header) */

	frag = &skb_shinfo(skb)->frag_list;

	frag = &skb_shinfo(skb)->frag_list;

	while (len) {

	while (len) {

		struct sk_buff *tmp;



		count = min_t(unsigned int, conn->mtu, len);

		count = min_t(unsigned int, conn->mtu, len);





		*frag = chan->ops->alloc_skb(chan, count,

		tmp = chan->ops->alloc_skb(chan, count,

					   msg->msg_flags & MSG_DONTWAIT);

					   msg->msg_flags & MSG_DONTWAIT);

		if (IS_ERR(tmp))

			return PTR_ERR(tmp);



		*frag = tmp;





		if (IS_ERR(*frag))

			return PTR_ERR(*frag);

		if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))

		if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))

			return -EFAULT;

			return -EFAULT;