From 9bf8ad20df99a10fb088c39f4852c46d28dda378 Mon Sep 17 00:00:00 2001
From: Arkadiusz Lichwa <arkadiusz.lichwa@tieto.com>
Date: Thu, 9 Jul 2015 12:19:35 +0200
Subject: [PATCH] Bluetooth: ATT: Check ATT payload len against MTU

During allocation ATT pdu buffer there's possibility to precheck
whether length of such buffer doesn't exceeds ATT MTU.

Change-Id: I7f729e4d7f7474d7f33e417ea61a00ceeb7426c5
Signed-off-by: Arkadiusz Lichwa <arkadiusz.lichwa@tieto.com>
---
 net/bluetooth/att.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/bluetooth/att.c b/net/bluetooth/att.c
index 4ca21e45335..98ccdcb7350 100644
--- a/net/bluetooth/att.c
+++ b/net/bluetooth/att.c
@@ -1311,6 +1311,12 @@ struct bt_buf *bt_att_create_pdu(struct bt_conn *conn, uint8_t op, size_t len)
 {
 	struct bt_att_hdr *hdr;
 	struct bt_buf *buf;
+	struct bt_att *att = conn->att;
+
+	if (len + sizeof(op) > att->mtu) {
+		BT_WARN("ATT MTU exceeded, max %u, wanted %u\n", att->mtu, len);
+		return NULL;
+	}
 
 	buf = bt_l2cap_create_pdu(conn);
 	if (!buf) {