diff options
| author |   Marcel Holtmann <marcel@holtmann.org> | 2013-10-02 08:28:21 -0700 |
|---|---|---|
| committer |   Gustavo Padovan <gustavo.padovan@collabora.co.uk> | 2013-10-02 17:17:05 -0300 |
| commit | 3b1662952ea9c2c32aac11d60f824fb94b2cf546 (patch) | |
| tree | 30dbdf71af1b04d42d61ce8a70eb0c4aa10bde3b /net/bluetooth | |
| parent | Bluetooth: Add the definition for Slave Page Response Timeout (diff) | |
| download | linux-dev-3b1662952ea9c2c32aac11d60f824fb94b2cf546.tar.xz linux-dev-3b1662952ea9c2c32aac11d60f824fb94b2cf546.zip | |
Bluetooth: Fix memory leak with L2CAP signal channels
The wrong type of L2CAP signalling packets on the wrong type of
either BR/EDR or LE links need to be dropped. When that happens
the packet is dropped, but the memory not freed. So actually
free the memory as well.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Diffstat (limited to 'net/bluetooth')
| -rw-r--r-- | net/bluetooth/l2cap_core.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 6d42498e862b..814563d15476 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -5330,7 +5330,7 @@ static inline void l2cap_le_sig_channel(struct l2cap_conn *conn, l2cap_raw_recv(conn, skb); if (hcon->type != LE_LINK) - return; + goto drop; while (len >= L2CAP_CMD_HDR_SIZE) { u16 cmd_len; @@ -5363,6 +5363,7 @@ static inline void l2cap_le_sig_channel(struct l2cap_conn *conn, len -= cmd_len; } +drop: kfree_skb(skb); } @@ -5378,7 +5379,7 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, l2cap_raw_recv(conn, skb); if (hcon->type != ACL_LINK) - return; + goto drop; while (len >= L2CAP_CMD_HDR_SIZE) { u16 cmd_len; @@ -5411,6 +5412,7 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, len -= cmd_len; } +drop: kfree_skb(skb); } |