Commit 2b70d4f9 authored by Dan Carpenter's avatar Dan Carpenter Committed by Marcel Holtmann
Browse files

Bluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt() 



The "opt" variable is a u32, but on some paths only the top bytes
were initialized and the others contained random stack data.

Fixes: a7b75c5a ("net: pass a sockptr_t into ->setsockopt")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 4fac8a7a

net/bluetooth/l2cap_sock.c

+8 −6
Original line number Diff line number Diff line
@@ -904,6 +904,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, 
	struct l2cap_conn *conn;

	int len, err = 0;

	u32 opt;

	u16 mtu;

	u8 mode;



	BT_DBG("sk %p", sk);
@@ -1086,16 +1088,16 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, 
			break;

		}



		if (copy_from_sockptr(&opt, optval, sizeof(u16))) {

		if (copy_from_sockptr(&mtu, optval, sizeof(u16))) {

			err = -EFAULT;

			break;

		}



		if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&

		    sk->sk_state == BT_CONNECTED)

			err = l2cap_chan_reconfigure(chan, opt);

			err = l2cap_chan_reconfigure(chan, mtu);

		else

			chan->imtu = opt;

			chan->imtu = mtu;



		break;
@@ -1117,14 +1119,14 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, 
			break;

		}



		if (copy_from_sockptr(&opt, optval, sizeof(u8))) {

		if (copy_from_sockptr(&mode, optval, sizeof(u8))) {

			err = -EFAULT;

			break;

		}



		BT_DBG("opt %u", opt);

		BT_DBG("mode %u", mode);



		err = l2cap_set_mode(chan, opt);

		err = l2cap_set_mode(chan, mode);

		if (err)

			break;