summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/bluetooth/l2cap.c14
1 files changed, 11 insertions, 3 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 36cd4e4e6ad..ac00f5fac2d 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -3627,10 +3627,17 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
if (l2cap_check_fcs(pi, skb))
goto drop;
- if (__is_iframe(control))
+ if (__is_iframe(control)) {
+ if (len < 4)
+ goto drop;
+
l2cap_data_channel_iframe(sk, control, skb);
- else
+ } else {
+ if (len != 0)
+ goto drop;
+
l2cap_data_channel_sframe(sk, control, skb);
+ }
goto done;
@@ -3645,7 +3652,8 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
if (pi->fcs == L2CAP_FCS_CRC16)
len -= 2;
- if (len > L2CAP_DEFAULT_MAX_PDU_SIZE || __is_sframe(control))
+ if (len > L2CAP_DEFAULT_MAX_PDU_SIZE || len < 4
+ || __is_sframe(control))
goto drop;
if (l2cap_check_fcs(pi, skb))