michaelh/zephyr
1
0
Fork 0
Code Releases Activity

Bluetooth: L2CAP: Fix possible endless loop

Browse source 
cid is uint16_t and L2CAP_BR_CID_DYN_END is 0xffff so doing
"cid < L2CAP_BR_CID_DYN_END" comparisong is always true resulting
in for loop not being terminated as expected. Check against cid
overflow instead. Code comment is also added for clarity.

Change-Id: I15d6d838ed8b731824e602d089d765614c96c6c1
Signed-off-by: Szymon Janc <ext.szymon.janc@tieto.com>
This commit is contained in:
Szymon Janc 2016-12-23 12:41:07 +01:00 committed by Johan Hedberg
commit fa8a27fc03
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
subsys/bluetooth/host/l2cap_br.c
View file

@ -162,7 +162,11 @@ l2cap_br_chan_alloc_cid(struct bt_conn *conn, struct bt_l2cap_chan *chan)
return ch;
}
for (cid = L2CAP_BR_CID_DYN_START; cid <= L2CAP_BR_CID_DYN_END; cid++) {
/*
* L2CAP_BR_CID_DYN_END is 0xffff so we don't check against it since
* cid is uint16_t, just check against uint16_t overflow
*/
for (cid = L2CAP_BR_CID_DYN_START; cid; cid++) {
if (!bt_l2cap_br_lookup_rx_cid(conn, cid)) {
ch->rx.cid = cid;
return ch;