From 30838af5e92384cb94d5aa4bf097c41ed4c2cd2c Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Sun, 20 Nov 2016 00:23:58 +0200 Subject: [PATCH] Bluetooth: L2CAP: Fix possibly reading past the end of buffer If the original buffer cannot be reused, either by no having enough space for user data or if is fragmented, it can in fact be smaller than both the segment buffer and MPS. Change-Id: I59a537aff59c5d56b2883e9bd51f3a1a3932d348 Signed-off-by: Luiz Augusto von Dentz --- subsys/bluetooth/host/l2cap.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/subsys/bluetooth/host/l2cap.c b/subsys/bluetooth/host/l2cap.c index 7260af6c459..eab619573d9 100644 --- a/subsys/bluetooth/host/l2cap.c +++ b/subsys/bluetooth/host/l2cap.c @@ -1594,6 +1594,8 @@ segment: /* Don't send more that TX MPS including SDU length */ len = min(net_buf_tailroom(seg), ch->tx.mps - sdu_hdr_len); + /* Limit if original buffer is smaller than the segment */ + len = min(buf->len, len); memcpy(net_buf_add(seg, len), buf->data, len); net_buf_pull(buf, len);