git.openpandora.org
/
pandora-kernel.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Bluetooth: Fix potential bad memory access with sysfs files
[pandora-kernel.git]
/
net
/
bluetooth
/
rfcomm
/
core.c
diff --git
a/net/bluetooth/rfcomm/core.c
b/net/bluetooth/rfcomm/core.c
index
89f4a59
..
cf16407
100644
(file)
--- a/
net/bluetooth/rfcomm/core.c
+++ b/
net/bluetooth/rfcomm/core.c
@@
-2098,11
+2098,14
@@
static struct hci_cb rfcomm_cb = {
.security_cfm = rfcomm_security_cfm
};
.security_cfm = rfcomm_security_cfm
};
-static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf)
+static ssize_t rfcomm_dlc_sysfs_show(struct class *dev,
+ struct class_attribute *attr,
+ char *buf)
{
struct rfcomm_session *s;
struct list_head *pp, *p;
char *str = buf;
{
struct rfcomm_session *s;
struct list_head *pp, *p;
char *str = buf;
+ int size = PAGE_SIZE;
rfcomm_lock();
rfcomm_lock();
@@
-2111,11
+2114,21
@@
static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf)
list_for_each(pp, &s->dlcs) {
struct sock *sk = s->sock->sk;
struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
list_for_each(pp, &s->dlcs) {
struct sock *sk = s->sock->sk;
struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
+ int len;
-
str += sprintf(str
, "%s %s %ld %d %d %d %d\n",
+
len = snprintf(str, size
, "%s %s %ld %d %d %d %d\n",
batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
d->state, d->dlci, d->mtu, d->rx_credits, d->tx_credits);
batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
d->state, d->dlci, d->mtu, d->rx_credits, d->tx_credits);
+
+ size -= len;
+ if (size <= 0)
+ break;
+
+ str += len;
}
}
+
+ if (size <= 0)
+ break;
}
rfcomm_unlock();
}
rfcomm_unlock();