michaelh/zephyr
1
0
Fork 0
Code Releases Activity

Bluetooth: Fix buffer overflow with ACL fragments

Browse source 
The fragments we create should not be greater than the connection ACL
MTU (which the code already does correctly) but they can also not be
greater than the buffer has room for data. Fix this by taking the
minimum of the connection MTU and the buffer tail room.

Change-Id: I27462d7e8752773c632d212b28e53a8cf6519972
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
This commit is contained in:
Johan Hedberg 2015-12-15 14:48:23 +02:00 committed by Anas Nashif
commit 8ff6884077
1 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
net/bluetooth/conn.c
View file

@ -400,6 +400,7 @@ static inline uint16_t conn_mtu(struct bt_conn *conn)
static struct net_buf *create_frag(struct bt_conn *conn, struct net_buf *buf)
{
struct net_buf *frag;
uint16_t frag_len;
frag = bt_conn_create_pdu(&frag_buf, 0);
if (conn->state != BT_CONN_CONNECTED) {
@ -410,8 +411,10 @@ static struct net_buf *create_frag(struct bt_conn *conn, struct net_buf *buf)
return NULL;
}
memcpy(net_buf_add(frag, conn_mtu(conn)), buf->data, conn_mtu(conn));
net_buf_pull(buf, conn_mtu(conn));
frag_len = min(conn_mtu(conn), net_buf_tailroom(frag));
memcpy(net_buf_add(frag, frag_len), buf->data, frag_len);
net_buf_pull(buf, frag_len);
return frag;
}