Fix message length handling when building header
When the message length is greater than 127, the length field in the header
is built incorrectly. According to the spec, when the length is less than 128
the length field is a single byte formatted as:
bbbbbbb1. When it is greater
than 127 then the field is two bytes of the format:
bbbbbbb0 bbbbbbbb.
Signed-off-by: Ken Mills <ken.k.mills@intel.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
if (msg->len < 128)
*--dp = (msg->len << 1) | EA;
else {
- *--dp = ((msg->len & 127) << 1) | EA;
- *--dp = (msg->len >> 6) & 0xfe;
+ *--dp = (msg->len >> 7); /* bits 7 - 15 */
+ *--dp = (msg->len & 127) << 1; /* bits 0 - 6 */
}
}