[BLUETOOTH]: pass (host-endian) cmd length as explicit argument to l2cap_conf_req()

author Al Viro <viro@zeniv.linux.org.uk>

Sun, 29 Jul 2007 07:17:25 +0000 (00:17 -0700)

committer David S. Miller <davem@sunset.davemloft.net>

Tue, 31 Jul 2007 09:28:08 +0000 (02:28 -0700)
author Al Viro <viro@zeniv.linux.org.uk>
Sun, 29 Jul 2007 07:17:25 +0000 (00:17 -0700)
committer David S. Miller <davem@sunset.davemloft.net>
Tue, 31 Jul 2007 09:28:08 +0000 (02:28 -0700)
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c

index 09126bf..03309d2 100644 (file)
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -1530,7 +1530,7 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
         return 0;
  }
  
-static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
  {
         struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
         u16 dcid, flags;
@@ -1550,7 +1550,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
                 goto unlock;
  
         /* Reject if config buffer is too small. */
-       len = cmd->len - sizeof(*req);
+       len = cmd_len - sizeof(*req);
         if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
                 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
                                 l2cap_build_conf_rsp(sk, rsp,
@@ -1748,15 +1748,17 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk
         l2cap_raw_recv(conn, skb);
  
         while (len >= L2CAP_CMD_HDR_SIZE) {
+               u16 cmd_len;
                 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
                 data += L2CAP_CMD_HDR_SIZE;
                 len  -= L2CAP_CMD_HDR_SIZE;
  
-               cmd.len = __le16_to_cpu(cmd.len);
+               cmd_len = le16_to_cpu(cmd.len);
+               cmd.len = cmd_len;
  
-               BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd.len, cmd.ident);
+               BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
  
-               if (cmd.len > len || !cmd.ident) {
+               if (cmd_len > len || !cmd.ident) {
                         BT_DBG("corrupted command");
                         break;
                 }
@@ -1775,7 +1777,7 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk
                         break;
  
                 case L2CAP_CONF_REQ:
-                       err = l2cap_config_req(conn, &cmd, data);
+                       err = l2cap_config_req(conn, &cmd, cmd_len, data);
                         break;
  
                 case L2CAP_CONF_RSP:
@@ -1791,7 +1793,7 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk
                         break;
  
                 case L2CAP_ECHO_REQ:
-                       l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd.len, data);
+                       l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
                         break;
  
                 case L2CAP_ECHO_RSP:
@@ -1820,8 +1822,8 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *sk
                         l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
                 }
  
-               data += cmd.len;
-               len  -= cmd.len;
+               data += cmd_len;
+               len  -= cmd_len;
         }
  
         kfree_skb(skb);
author	Al Viro <viro@zeniv.linux.org.uk>
	Sun, 29 Jul 2007 07:17:25 +0000 (00:17 -0700)
committer	David S. Miller <davem@sunset.davemloft.net>
	Tue, 31 Jul 2007 09:28:08 +0000 (02:28 -0700)