michaelh/zephyr
1
0
Fork 0
Code Releases Activity

net: bt: Fix memory corruption

Browse source 
Patch 235118245864491a592245f57e5244bf61711943 did not set the ll
addresses in the right buffer which causes 6lo to unref buffers
causing a double unref latter.

Jira: ZEP-1890

Change-Id: Id7591ef3c20c7ab62dcb04576406d70602baa129
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This commit is contained in:
Luiz Augusto von Dentz 2017-03-09 16:17:31 +02:00 committed by Jukka Rissanen
commit 50ec0864c6
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
subsys/net/ip/l2/bluetooth.c
View file

@ -183,12 +183,12 @@ static void ipsp_recv(struct bt_l2cap_chan *chan, struct net_buf *buf)
/* Set destination address */
net_nbuf_ll_dst(nbuf)->addr = ctxt->src.val;
net_nbuf_ll_dst(nbuf)->len = sizeof(ctxt->src);
net_nbuf_ll_dst(buf)->type = NET_LINK_BLUETOOTH;
net_nbuf_ll_dst(nbuf)->type = NET_LINK_BLUETOOTH;
/* Set source address */
net_nbuf_ll_src(nbuf)->addr = ctxt->dst.val;
net_nbuf_ll_src(nbuf)->len = sizeof(ctxt->dst);
net_nbuf_ll_src(buf)->type = NET_LINK_BLUETOOTH;
net_nbuf_ll_src(nbuf)->type = NET_LINK_BLUETOOTH;
/* Add data buffer as fragment of RX buffer, take a reference while
* doing so since L2CAP will unref the buffer after return.