Bluetooth: L2CAP: Fix possibly reading past the end of buffer

If the original buffer cannot be reused, either by no having enough
space for user data or if is fragmented, it can in fact be smaller than
both the segment buffer and MPS.

Change-Id: I59a537aff59c5d56b2883e9bd51f3a1a3932d348
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This commit is contained in:
Luiz Augusto von Dentz 2016-11-20 00:23:58 +02:00 committed by Johan Hedberg
commit 30838af5e9

View file

@ -1594,6 +1594,8 @@ segment:
/* Don't send more that TX MPS including SDU length */
len = min(net_buf_tailroom(seg), ch->tx.mps - sdu_hdr_len);
/* Limit if original buffer is smaller than the segment */
len = min(buf->len, len);
memcpy(net_buf_add(seg, len), buf->data, len);
net_buf_pull(buf, len);