summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2013-02-06 14:51:14 -0500
committerDavid S. Miller <davem@davemloft.net>2013-02-06 14:51:14 -0500
commitb6ec447df935669d670e82bd66d9d161418efdfa (patch)
tree0a4c792efd730a59adc79d0d2476e0a4b3aa2f2e /net
parentbf414b369f158bb527f9f29174ada815f961b44c (diff)
parentb3b66ae4c8aff0636521034d824b8953dc617335 (diff)
Merge branch 'wireless'
John W. Linville says: ==================== Please consider this pull request for the 3.8 stream... Included is a bluetooth pull. Gustavo says: "Two simple fixes for 3.8. One of the patches fixes a situation where the connection wasn't terminated if a timeout ocurrs for LE an SCO connections. The other fixes prevent NULL dereference in the SMP code, it is a security fix as well." Along with those... Hauke Mehrtens provides a couple of ssb and bcma bus fixes that prevent oopses when unloading those modules. Larry Finger provides and rtlwifi fix to avoid a "scheduling while atomic" bug. Last but certainly not least, Arend van Spriel bring a brcmsmac fix that reworks the mac80211 .flush() callback in order to avoid the dreaded brcms_c_wait_for_tx_completion warnings. This one looks a little large, but I think it is safe and isolated to brcmsmac in any case. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/bluetooth/hci_conn.c6
-rw-r--r--net/bluetooth/smp.c13
2 files changed, 16 insertions, 3 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 25bfce0666e..4925a02ae7e 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -249,12 +249,12 @@ static void hci_conn_disconnect(struct hci_conn *conn)
__u8 reason = hci_proto_disconn_ind(conn);
switch (conn->type) {
- case ACL_LINK:
- hci_acl_disconn(conn, reason);
- break;
case AMP_LINK:
hci_amp_disconn(conn, reason);
break;
+ default:
+ hci_acl_disconn(conn, reason);
+ break;
}
}
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 68a9587c969..5abefb12891 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -859,6 +859,19 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
skb_pull(skb, sizeof(code));
+ /*
+ * The SMP context must be initialized for all other PDUs except
+ * pairing and security requests. If we get any other PDU when
+ * not initialized simply disconnect (done if this function
+ * returns an error).
+ */
+ if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&
+ !conn->smp_chan) {
+ BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);
+ kfree_skb(skb);
+ return -ENOTSUPP;
+ }
+
switch (code) {
case SMP_CMD_PAIRING_REQ:
reason = smp_cmd_pairing_req(conn, skb);