Bluetooth: Restrict CMTP flags to only valid ones

The CMTP flags should be clearly restricted to valid ones. So this puts
extra checks in place to ensure this.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>

diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
index 278a194..ddbc348 100644 (file)
--- a/net/bluetooth/cmtp/core.c
+++ b/net/bluetooth/cmtp/core.c
@@ -75,10 +75,11 @@ static void __cmtp_unlink_session(struct cmtp_session *session)
 
 static void __cmtp_copy_session(struct cmtp_session *session, struct cmtp_conninfo *ci)
 {
+       u32 valid_flags = BIT(CMTP_LOOPBACK);
        memset(ci, 0, sizeof(*ci));
        bacpy(&ci->bdaddr, &session->bdaddr);
 
-       ci->flags = session->flags;
+       ci->flags = session->flags & valid_flags;
        ci->state = session->state;
 
        ci->num = session->num;
@@ -329,6 +330,7 @@ static int cmtp_session(void *arg)
 
 int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
 {
+       u32 valid_flags = BIT(CMTP_LOOPBACK);
        struct cmtp_session *session, *s;
        int i, err;
 
@@ -337,6 +339,9 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
        if (!l2cap_is_socket(sock))
                return -EBADFD;
 
+       if (req->flags & ~valid_flags)
+               return -EINVAL;
+
        session = kzalloc(sizeof(struct cmtp_session), GFP_KERNEL);
        if (!session)
                return -ENOMEM;
@@ -409,11 +414,15 @@ failed:
 
 int cmtp_del_connection(struct cmtp_conndel_req *req)
 {
+       u32 valid_flags = 0;
        struct cmtp_session *session;
        int err = 0;
 
        BT_DBG("");
 
+       if (req->flags & ~valid_flags)
+               return -EINVAL;
+
        down_read(&cmtp_session_sem);
 
        session = __cmtp_get_session(&req->bdaddr);