Bluetooth: L2CAP: Fix possible endless loop
cid is uint16_t and L2CAP_BR_CID_DYN_END is 0xffff so doing "cid < L2CAP_BR_CID_DYN_END" comparisong is always true resulting in for loop not being terminated as expected. Check against cid overflow instead. Code comment is also added for clarity. Change-Id: I15d6d838ed8b731824e602d089d765614c96c6c1 Signed-off-by: Szymon Janc <ext.szymon.janc@tieto.com>
This commit is contained in:
parent
fe7d3392cd
commit
fa8a27fc03
1 changed files with 5 additions and 1 deletions
|
@ -162,7 +162,11 @@ l2cap_br_chan_alloc_cid(struct bt_conn *conn, struct bt_l2cap_chan *chan)
|
|||
return ch;
|
||||
}
|
||||
|
||||
for (cid = L2CAP_BR_CID_DYN_START; cid <= L2CAP_BR_CID_DYN_END; cid++) {
|
||||
/*
|
||||
* L2CAP_BR_CID_DYN_END is 0xffff so we don't check against it since
|
||||
* cid is uint16_t, just check against uint16_t overflow
|
||||
*/
|
||||
for (cid = L2CAP_BR_CID_DYN_START; cid; cid++) {
|
||||
if (!bt_l2cap_br_lookup_rx_cid(conn, cid)) {
|
||||
ch->rx.cid = cid;
|
||||
return ch;
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue