Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4d6a2188 authored by Marcel Holtmann's avatar Marcel Holtmann Committed by David S. Miller
Browse files

[Bluetooth] Fix uninitialized return value for RFCOMM sendmsg() 



When calling send() with a zero length parameter on a RFCOMM socket
it returns a positive value. In this rare case the variable err is
used uninitialized and unfortunately its value is returned.

Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent b6e557fb

net/bluetooth/rfcomm/sock.c

+6 −3
Original line number Diff line number Diff line
@@ -557,7 +557,6 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, 
	struct sock *sk = sock->sk;

	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;

	struct sk_buff *skb;

	int err;

	int sent = 0;



	if (msg->msg_flags & MSG_OOB)
@@ -572,6 +571,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, 


	while (len) {

		size_t size = min_t(size_t, len, d->mtu);

		int err;

		

		skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,

				msg->msg_flags & MSG_DONTWAIT, &err);
@@ -582,6 +582,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, 
		err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);

		if (err) {

			kfree_skb(skb);

			if (sent == 0)

				sent = err;

			break;

		}
@@ -589,6 +590,8 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, 
		err = rfcomm_dlc_send(d, skb);

		if (err < 0) {

			kfree_skb(skb);

			if (sent == 0)

				sent = err;

			break;

		}
@@ -598,7 +601,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, 


	release_sock(sk);



	return sent ? sent : err;

	return sent;

}



static long rfcomm_sock_data_wait(struct sock *sk, long timeo)