Bluetooth: Fix wrong set of skb fragments

If alloc() fails we let the frags linked list with garbage value (the err ptr value) in its last element. Reported-by: N Mat Martineau <mathewm@codeaurora.org> Signed-off-by: N Gustavo Padovan <gustavo@padovan.org> Signed-off-by: N Johan Hedberg <johan.hedberg@intel.com>

Bluetooth: Fix wrong set of skb fragments
If alloc() fails we let the frags linked list with garbage value (the err ptr value) in its last element. Reported-by: N Mat Martineau <mathewm@codeaurora.org> Signed-off-by: N Gustavo Padovan <gustavo@padovan.org> Signed-off-by: N Johan Hedberg <johan.hedberg@intel.com>
fbe00700 · Gustavo Padovan · Gustavo Padovan · 08e6d907 · fbe00700
隐藏空白更改
内联并排

Showing with 8 addition and 4 deletion

net/bluetooth/l2cap_core.c net/bluetooth/l2cap_core.c +8 -4

未找到文件。
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1836,13 +1836,17 @@ static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
 	/* Continuation fragments (no L2CAP header) */
 	frag = &skb_shinfo(skb)->frag_list;
 	while (len) {
+		struct sk_buff *tmp;
+
 		count = min_t(unsigned int, conn->mtu, len);

-		*frag = chan->ops->alloc_skb(chan, count,
-					     msg->msg_flags & MSG_DONTWAIT);
+		tmp = chan->ops->alloc_skb(chan, count,
+					   msg->msg_flags & MSG_DONTWAIT);
+		if (IS_ERR(tmp))
+			return PTR_ERR(tmp);
+
+		*frag = tmp;

-		if (IS_ERR(*frag))
-			return PTR_ERR(*frag);
 		if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
 			return -EFAULT;