Bluetooth: Fix potential bad memory access with sysfs files

[pandora-kernel.git] / net / bluetooth / rfcomm / core.c

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 89f4a59..cf16407 100644 (file)
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -2098,11 +2098,14 @@ static struct hci_cb rfcomm_cb = {
        .security_cfm   = rfcomm_security_cfm
 };
 
-static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf)
+static ssize_t rfcomm_dlc_sysfs_show(struct class *dev,
+                                    struct class_attribute *attr,
+                                    char *buf)
 {
        struct rfcomm_session *s;
        struct list_head *pp, *p;
        char *str = buf;
+       int size = PAGE_SIZE;
 
        rfcomm_lock();
 
@@ -2111,11 +2114,21 @@ static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf)
                list_for_each(pp, &s->dlcs) {
                        struct sock *sk = s->sock->sk;
                        struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
+                       int len;
 
-                       str += sprintf(str, "%s %s %ld %d %d %d %d\n",
+                       len = snprintf(str, size, "%s %s %ld %d %d %d %d\n",
                                        batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
                                        d->state, d->dlci, d->mtu, d->rx_credits, d->tx_credits);
+
+                       size -= len;
+                       if (size <= 0)
+                               break;
+
+                       str += len;
                }
+
+               if (size <= 0)
+                       break;
        }
 
        rfcomm_unlock();