Bluetooth: L2CAP: Fix possibly reading past the end of buffer
If the original buffer cannot be reused, either by no having enough space for user data or if is fragmented, it can in fact be smaller than both the segment buffer and MPS. Change-Id: I59a537aff59c5d56b2883e9bd51f3a1a3932d348 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This commit is contained in:
Luiz Augusto von Dentz
Johan Hedberg
parent
37b0e0ab2e
commit
30838af5e9
1 changed files with 2 additions and 0 deletions
|
|
@ -1594,6 +1594,8 @@ segment:
|
|||
|
||||
/* Don't send more that TX MPS including SDU length */
|
||||
len = min(net_buf_tailroom(seg), ch->tx.mps - sdu_hdr_len);
|
||||
/* Limit if original buffer is smaller than the segment */
|
||||
len = min(buf->len, len);
|
||||
memcpy(net_buf_add(seg, len), buf->data, len);
|
||||
net_buf_pull(buf, len);
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue