[BLUETOOTH]: pass (host-endian) cmd length as explicit argument to l2cap_conf_req()

	return 0;

}

static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)

static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)

{

	struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;

	u16 dcid, flags;

		goto unlock;

	/* Reject if config buffer is too small. */

	len = cmd->len - sizeof(*req);

	len = cmd_len - sizeof(*req);

	if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {

		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,

				l2cap_build_conf_rsp(sk, rsp,

	l2cap_raw_recv(conn, skb);

	while (len >= L2CAP_CMD_HDR_SIZE) {

		u16 cmd_len;

		memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);

		data += L2CAP_CMD_HDR_SIZE;

		len  -= L2CAP_CMD_HDR_SIZE;

		cmd.len = __le16_to_cpu(cmd.len);

		cmd_len = le16_to_cpu(cmd.len);

		cmd.len = cmd_len;

		BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd.len, cmd.ident);

		BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);

		if (cmd.len > len || !cmd.ident) {

		if (cmd_len > len || !cmd.ident) {

			BT_DBG("corrupted command");

			break;

		}

			break;

		case L2CAP_CONF_REQ:

			err = l2cap_config_req(conn, &cmd, data);

			err = l2cap_config_req(conn, &cmd, cmd_len, data);

			break;

		case L2CAP_CONF_RSP:

			break;

		case L2CAP_ECHO_REQ:

			l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd.len, data);

			l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);

			break;

		case L2CAP_ECHO_RSP:

			l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);

		}

		data += cmd.len;

		len  -= cmd.len;

		data += cmd_len;

		len  -= cmd_len;

	}

	kfree_skb(skb);