From: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
Date: Wed, 15 Sep 2010 11:28:43 +0000 (+0300)
Subject: Bluetooth: check for l2cap header in start fragment
X-Git-Tag: v2.6.37-rc1~147^2~78^2~1^2~7
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=aae7fe22a875a84e328469e228cba033ebbf20cb;p=karo-tx-linux.git

Bluetooth: check for l2cap header in start fragment

BLUETOOTH SPECIFICATION Version 4.0 [Vol 3] page 36 mentioned
"Note: Start Fragments always begin with the Basic L2CAP header
of a PDU."

Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
---

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 5441083ff1ca..7da6432f6799 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -4675,7 +4675,8 @@ static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 fl
 			l2cap_conn_unreliable(conn, ECOMM);
 		}
 
-		if (skb->len < 2) {
+		/* Start fragment always begin with Basic L2CAP header */
+		if (skb->len < L2CAP_HDR_SIZE) {
 			BT_ERR("Frame is too short (len %d)", skb->len);
 			l2cap_conn_unreliable(conn, ECOMM);
 			goto drop;