diff options
author | Marcel Holtmann <marcel@holtmann.org> | 2015-04-01 13:51:54 -0700 |
---|---|---|
committer | Johan Hedberg <johan.hedberg@intel.com> | 2015-04-02 08:44:02 +0300 |
commit | 0151e426b150db17992b49fa9ce96b79dace2aed (patch) | |
tree | 572059f3f21b9a4b794d79705d8f7de00d8378c1 /net | |
parent | 5f5da99f1da5b01c7c45473a500c7dbb77a00958 (diff) | |
download | op-kernel-dev-0151e426b150db17992b49fa9ce96b79dace2aed.zip op-kernel-dev-0151e426b150db17992b49fa9ce96b79dace2aed.tar.gz |
Bluetooth: Restrict BNEP flags to only valid ones
The BNEP flags should be clearly restricted to valid ones. So this puts
extra checks in place to ensure this.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/bluetooth/bnep/core.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c index 05f57e4..c05eccc 100644 --- a/net/bluetooth/bnep/core.c +++ b/net/bluetooth/bnep/core.c @@ -525,6 +525,7 @@ static struct device_type bnep_type = { int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock) { + u32 valid_flags = 0; struct net_device *dev; struct bnep_session *s, *ss; u8 dst[ETH_ALEN], src[ETH_ALEN]; @@ -535,6 +536,9 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock) if (!l2cap_is_socket(sock)) return -EBADFD; + if (req->flags & ~valid_flags) + return -EINVAL; + baswap((void *) dst, &l2cap_pi(sock->sk)->chan->dst); baswap((void *) src, &l2cap_pi(sock->sk)->chan->src); @@ -611,11 +615,15 @@ failed: int bnep_del_connection(struct bnep_conndel_req *req) { + u32 valid_flags = 0; struct bnep_session *s; int err = 0; BT_DBG(""); + if (req->flags & ~valid_flags) + return -EINVAL; + down_read(&bnep_session_sem); s = __bnep_get_session(req->dst); @@ -631,10 +639,12 @@ int bnep_del_connection(struct bnep_conndel_req *req) static void __bnep_copy_ci(struct bnep_conninfo *ci, struct bnep_session *s) { + u32 valid_flags = 0; + memset(ci, 0, sizeof(*ci)); memcpy(ci->dst, s->eh.h_source, ETH_ALEN); strcpy(ci->device, s->dev->name); - ci->flags = s->flags; + ci->flags = s->flags & valid_flags; ci->state = s->state; ci->role = s->role; } |