From fa8a27fc03559ae00ddaaaa839d19dd2c1cdc865 Mon Sep 17 00:00:00 2001 From: Szymon Janc Date: Fri, 23 Dec 2016 12:41:07 +0100 Subject: [PATCH] Bluetooth: L2CAP: Fix possible endless loop cid is uint16_t and L2CAP_BR_CID_DYN_END is 0xffff so doing "cid < L2CAP_BR_CID_DYN_END" comparisong is always true resulting in for loop not being terminated as expected. Check against cid overflow instead. Code comment is also added for clarity. Change-Id: I15d6d838ed8b731824e602d089d765614c96c6c1 Signed-off-by: Szymon Janc --- subsys/bluetooth/host/l2cap_br.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/subsys/bluetooth/host/l2cap_br.c b/subsys/bluetooth/host/l2cap_br.c index d9f656cc786..2ddc78ad4eb 100644 --- a/subsys/bluetooth/host/l2cap_br.c +++ b/subsys/bluetooth/host/l2cap_br.c @@ -162,7 +162,11 @@ l2cap_br_chan_alloc_cid(struct bt_conn *conn, struct bt_l2cap_chan *chan) return ch; } - for (cid = L2CAP_BR_CID_DYN_START; cid <= L2CAP_BR_CID_DYN_END; cid++) { + /* + * L2CAP_BR_CID_DYN_END is 0xffff so we don't check against it since + * cid is uint16_t, just check against uint16_t overflow + */ + for (cid = L2CAP_BR_CID_DYN_START; cid; cid++) { if (!bt_l2cap_br_lookup_rx_cid(conn, cid)) { ch->rx.cid = cid; return ch;