From a94e81ba3e77e87c5621919bb7b8092bad2fed88 Mon Sep 17 00:00:00 2001 From: ZhongYao Luo Date: Thu, 26 Dec 2019 14:26:26 +0800 Subject: [PATCH] Bluetooth: RFCOMM: Fix length errors when payload exceeds 127 hdr->length is the length of the payload, it should be buf->len - sizeof(*hdr) - 1 or buf->len - (sizeof(*hdr) + 1) Signed-off-by: ZhongYao Luo --- subsys/bluetooth/host/rfcomm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/subsys/bluetooth/host/rfcomm.c b/subsys/bluetooth/host/rfcomm.c index 49a29e85d4b..44fe0deb779 100644 --- a/subsys/bluetooth/host/rfcomm.c +++ b/subsys/bluetooth/host/rfcomm.c @@ -1431,7 +1431,7 @@ int bt_rfcomm_dlc_send(struct bt_rfcomm_dlc *dlc, struct net_buf *buf) hdr = net_buf_push(buf, sizeof(*hdr) + 1); len = (u16_t *)&hdr->length; *len = BT_RFCOMM_SET_LEN_16(sys_cpu_to_le16(buf->len - - sizeof(*hdr) + 1)); + sizeof(*hdr) - 1)); } else { hdr = net_buf_push(buf, sizeof(*hdr)); hdr->length = BT_RFCOMM_SET_LEN_8(buf->len - sizeof(*hdr));