michaelh/zephyr
1
0
Fork 0
Code Releases Activity

Bluetooth: Add len check to bt_l2cap_create_pdu

Browse source 
Check if buffer created is not too short for the len requested and in
case it is print an error and return NULL.

Change-Id: I2361925dfb83fe5e9746445c54e8f39e82b5504d
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This commit is contained in:
Luiz Augusto von Dentz 2015-05-06 10:59:43 +03:00 committed by Anas Nashif
commit 7ab174d202
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
net/bluetooth/l2cap.c
View file

@ -40,6 +40,13 @@ struct bt_buf *bt_l2cap_create_pdu(struct bt_conn *conn, uint16_t cid,
return NULL;
}
/* Check if buf created has enough space */
if (bt_buf_tailroom(buf) - sizeof(*hdr) < len) {
BT_ERR("Buffer too short\n");
bt_buf_put(buf);
return NULL;
}
hdr = (void *)bt_buf_add(buf, sizeof(*hdr));
hdr->len = sys_cpu_to_le16(len);
hdr->cid = sys_cpu_to_le16(cid);