diff options
| author |   David S. Miller <davem@davemloft.net> | 2015-04-07 11:47:52 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-04-07 11:47:52 -0400 |
| commit | 7abccdba25be45630eede85053496f1f48d36ec8 (patch) | |
| tree | fd87c8b84b1c5fa2f5d1cc9ba36d33855f2a0a6b /net/bluetooth/cmtp/core.c | |
| parent | Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (diff) | |
| parent | Bluetooth: Fix location of TX power field in LE advertising data (diff) | |
| download | linux-dev-7abccdba25be45630eede85053496f1f48d36ec8.tar.xz linux-dev-7abccdba25be45630eede85053496f1f48d36ec8.zip | |
Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next
Johan Hedberg says:
====================
pull request: bluetooth-next 2015-04-04
Here's what's probably the last bluetooth-next pull request for 4.1:
- Fixes for LE advertising data & advertising parameters
- Fix for race condition with HCI_RESET flag
- New BNEPGETSUPPFEAT ioctl, needed for certification
- New HCI request callback type to get the resulting skb
- Cleanups to use BIT() macro wherever possible
- Consolidate Broadcom device entries in the btusb HCI driver
- Check for valid flags in CMTP, HIDP & BNEP
- Disallow local privacy & OOB data combo to prevent a potential race
- Expose SMP & ECDH selftest results through debugfs
- Expose current Device ID info through debugfs
Please let me know if there are any issues pulling. Thanks.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/bluetooth/cmtp/core.c')
| -rw-r--r-- | net/bluetooth/cmtp/core.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c index 278a194e6af4..298ed37010e6 100644 --- a/net/bluetooth/cmtp/core.c +++ b/net/bluetooth/cmtp/core.c @@ -75,10 +75,11 @@ static void __cmtp_unlink_session(struct cmtp_session *session) static void __cmtp_copy_session(struct cmtp_session *session, struct cmtp_conninfo *ci) { + u32 valid_flags = BIT(CMTP_LOOPBACK); memset(ci, 0, sizeof(*ci)); bacpy(&ci->bdaddr, &session->bdaddr); - ci->flags = session->flags; + ci->flags = session->flags & valid_flags; ci->state = session->state; ci->num = session->num; @@ -313,7 +314,7 @@ static int cmtp_session(void *arg) down_write(&cmtp_session_sem); - if (!(session->flags & (1 << CMTP_LOOPBACK))) + if (!(session->flags & BIT(CMTP_LOOPBACK))) cmtp_detach_device(session); fput(session->sock->file); @@ -329,6 +330,7 @@ static int cmtp_session(void *arg) int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock) { + u32 valid_flags = BIT(CMTP_LOOPBACK); struct cmtp_session *session, *s; int i, err; @@ -337,6 +339,9 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock) if (!l2cap_is_socket(sock)) return -EBADFD; + if (req->flags & ~valid_flags) + return -EINVAL; + session = kzalloc(sizeof(struct cmtp_session), GFP_KERNEL); if (!session) return -ENOMEM; @@ -385,7 +390,7 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock) goto unlink; } - if (!(session->flags & (1 << CMTP_LOOPBACK))) { + if (!(session->flags & BIT(CMTP_LOOPBACK))) { err = cmtp_attach_device(session); if (err < 0) { atomic_inc(&session->terminate); @@ -409,11 +414,15 @@ failed: int cmtp_del_connection(struct cmtp_conndel_req *req) { + u32 valid_flags = 0; struct cmtp_session *session; int err = 0; BT_DBG(""); + if (req->flags & ~valid_flags) + return -EINVAL; + down_read(&cmtp_session_sem); session = __cmtp_get_session(&req->bdaddr); |