Bluetooth: Don't accept ConfigReq if we aren't in the BT_CONFIG state

If such event happens we shall reply with a Command Reject, because we are
not expecting any configure request.

Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 6a33d26..f6e46fd 100644 (file)
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -3052,8 +3052,14 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
        if (!sk)
                return -ENOENT;
 
-       if (sk->sk_state == BT_DISCONN)
+       if (sk->sk_state != BT_CONFIG) {
+               struct l2cap_cmd_rej rej;
+
+               rej.reason = cpu_to_le16(0x0002);
+               l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
+                               sizeof(rej), &rej);
                goto unlock;
+       }
 
        /* Reject if config buffer is too small. */
        len = cmd_len - sizeof(*req);