Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer
[pandora-kernel.git] / net / bluetooth / l2cap_core.c
index 01116f9..74f57d8 100644 (file)
@@ -2021,6 +2021,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
 
        while (len >= L2CAP_CONF_OPT_SIZE) {
                len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
+               if (len < 0)
+                       break;
 
                hint  = type & L2CAP_CONF_HINT;
                type &= L2CAP_CONF_MASK;
@@ -2172,6 +2174,8 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
 
        while (len >= L2CAP_CONF_OPT_SIZE) {
                len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
+               if (len < 0)
+                       break;
 
                switch (type) {
                case L2CAP_CONF_MTU:
@@ -2276,6 +2280,8 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
 
        while (len >= L2CAP_CONF_OPT_SIZE) {
                len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
+               if (len < 0)
+                       break;
 
                if (type != L2CAP_CONF_RFC)
                        continue;