git.openpandora.org / pandora-kernel.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/padovan/bluetoot...
[pandora-kernel.git] / net / bluetooth / l2cap_core.c
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 52c791e..f7f8e2c 100644 (file)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -2523,7 +2523,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
 
        sk = chan->sk;
 
-       if (chan->state != BT_CONFIG) {
+       if ((bt_sk(sk)->defer_setup && chan->state != BT_CONNECT2) ||
+                (!bt_sk(sk)->defer_setup && chan->state != BT_CONFIG)) {
                struct l2cap_cmd_rej_cid rej;
 
                rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
@@ -2537,7 +2538,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
 
        /* Reject if config buffer is too small. */
        len = cmd_len - sizeof(*req);
-       if (chan->conf_len + len > sizeof(chan->conf_req)) {
+       if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
                l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
                                l2cap_build_conf_rsp(chan, rsp,
                                        L2CAP_CONF_REJECT, flags), rsp);
Pandora Kernel Repository