diff options
author | João Paulo Rechi Vita <jprvita@profusion.mobi> | 2010-05-31 18:35:44 -0300 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2010-07-21 10:39:04 -0700 |
commit | bfbacc11550a785caf082f3ccfcd7ecf882e09a4 (patch) | |
tree | 82ec0b4aa7003884a0dec27f944db0647fd1e028 | |
parent | 6e2b6722abaa3f6042357e11f465488b7c12f94c (diff) | |
download | kernel_samsung_smdk4412-bfbacc11550a785caf082f3ccfcd7ecf882e09a4.zip kernel_samsung_smdk4412-bfbacc11550a785caf082f3ccfcd7ecf882e09a4.tar.gz kernel_samsung_smdk4412-bfbacc11550a785caf082f3ccfcd7ecf882e09a4.tar.bz2 |
Bluetooth: Fix SREJ_QUEUE corruption in L2CAP
Since all TxSeq values are modulo, we shall not compare them directly. We
have to compare their offset inside the TxWindow instead.
Signed-off-by: João Paulo Rechi Vita <jprvita@profusion.mobi>
Acked-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-rw-r--r-- | net/bluetooth/l2cap.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 69f098d..b897621 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -3394,6 +3394,8 @@ static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk) static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar) { struct sk_buff *next_skb; + struct l2cap_pinfo *pi = l2cap_pi(sk); + int tx_seq_offset, next_tx_seq_offset; bt_cb(skb)->tx_seq = tx_seq; bt_cb(skb)->sar = sar; @@ -3404,11 +3406,20 @@ static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_s return 0; } + tx_seq_offset = (tx_seq - pi->buffer_seq) % 64; + if (tx_seq_offset < 0) + tx_seq_offset += 64; + do { if (bt_cb(next_skb)->tx_seq == tx_seq) return -EINVAL; - if (bt_cb(next_skb)->tx_seq > tx_seq) { + next_tx_seq_offset = (bt_cb(next_skb)->tx_seq - + pi->buffer_seq) % 64; + if (next_tx_seq_offset < 0) + next_tx_seq_offset += 64; + + if (next_tx_seq_offset > tx_seq_offset) { __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb); return 0; } |