aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoão Paulo Rechi Vita <jprvita@profusion.mobi>2010-05-31 18:35:44 -0300
committerMarcel Holtmann <marcel@holtmann.org>2010-07-21 10:39:04 -0700
commitbfbacc11550a785caf082f3ccfcd7ecf882e09a4 (patch)
tree82ec0b4aa7003884a0dec27f944db0647fd1e028
parent6e2b6722abaa3f6042357e11f465488b7c12f94c (diff)
downloadkernel_samsung_smdk4412-bfbacc11550a785caf082f3ccfcd7ecf882e09a4.zip
kernel_samsung_smdk4412-bfbacc11550a785caf082f3ccfcd7ecf882e09a4.tar.gz
kernel_samsung_smdk4412-bfbacc11550a785caf082f3ccfcd7ecf882e09a4.tar.bz2
Bluetooth: Fix SREJ_QUEUE corruption in L2CAP
Since all TxSeq values are modulo, we shall not compare them directly. We have to compare their offset inside the TxWindow instead. Signed-off-by: João Paulo Rechi Vita <jprvita@profusion.mobi> Acked-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-rw-r--r--net/bluetooth/l2cap.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 69f098d..b897621 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -3394,6 +3394,8 @@ static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
{
struct sk_buff *next_skb;
+ struct l2cap_pinfo *pi = l2cap_pi(sk);
+ int tx_seq_offset, next_tx_seq_offset;
bt_cb(skb)->tx_seq = tx_seq;
bt_cb(skb)->sar = sar;
@@ -3404,11 +3406,20 @@ static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_s
return 0;
}
+ tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
+ if (tx_seq_offset < 0)
+ tx_seq_offset += 64;
+
do {
if (bt_cb(next_skb)->tx_seq == tx_seq)
return -EINVAL;
- if (bt_cb(next_skb)->tx_seq > tx_seq) {
+ next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
+ pi->buffer_seq) % 64;
+ if (next_tx_seq_offset < 0)
+ next_tx_seq_offset += 64;
+
+ if (next_tx_seq_offset > tx_seq_offset) {
__skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
return 0;
}