releases/3.4.21/bluetooth-fix-using-uninitialized-option-in-rfcmode.patch

   1 From 8f321f853ea33330c7141977cd34804476e2e07e Mon Sep 17 00:00:00 2001
   2 From: Szymon Janc <szymon.janc@tieto.com>
   3 Date: Fri, 8 Jun 2012 11:33:33 +0200
   4 Subject: Bluetooth: Fix using uninitialized option in RFCMode
   5
   6 From: Szymon Janc <szymon.janc@tieto.com>
   7
   8 commit 8f321f853ea33330c7141977cd34804476e2e07e upstream.
   9
  10 If remote device sends bogus RFC option with invalid length,
  11 undefined options values are used. Fix this by using defaults when
  12 remote misbehaves.
  13
  14 This also fixes the following warning reported by gcc 4.7.0:
  15
  16 net/bluetooth/l2cap_core.c: In function 'l2cap_config_rsp':
  17 net/bluetooth/l2cap_core.c:3302:13: warning: 'rfc.max_pdu_size' may be used uninitialized in this function [-Wmaybe-uninitialized]
  18 net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.max_pdu_size' was declared here
  19 net/bluetooth/l2cap_core.c:3298:25: warning: 'rfc.monitor_timeout' may be used uninitialized in this function [-Wmaybe-uninitialized]
  20 net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.monitor_timeout' was declared here
  21 net/bluetooth/l2cap_core.c:3297:25: warning: 'rfc.retrans_timeout' may be used uninitialized in this function [-Wmaybe-uninitialized]
  22 net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.retrans_timeout' was declared here
  23 net/bluetooth/l2cap_core.c:3295:2: warning: 'rfc.mode' may be used uninitialized in this function [-Wmaybe-uninitialized]
  24 net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.mode' was declared here
  25
  26 Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
  27 Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
  28 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  29
  30 ---
  31  net/bluetooth/l2cap_core.c |   14 ++++++++------
  32  1 file changed, 8 insertions(+), 6 deletions(-)
  33
  34 --- a/net/bluetooth/l2cap_core.c
  35 +++ b/net/bluetooth/l2cap_core.c
  36 @@ -2585,12 +2585,14 @@ static void l2cap_conf_rfc_get(struct l2
  37         while (len >= L2CAP_CONF_OPT_SIZE) {
  38                 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
  39
  40 -               switch (type) {
  41 -               case L2CAP_CONF_RFC:
  42 -                       if (olen == sizeof(rfc))
  43 -                               memcpy(&rfc, (void *)val, olen);
  44 -                       goto done;
  45 -               }
  46 +               if (type != L2CAP_CONF_RFC)
  47 +                       continue;
  48 +
  49 +               if (olen != sizeof(rfc))
  50 +                       break;
  51 +
  52 +               memcpy(&rfc, (void *)val, olen);
  53 +               goto done;
  54         }
  55
  56         /* Use sane default values in case a misbehaving remote device