diff options
author | Szymon Janc <szymon.janc@tieto.com> | 2014-10-13 11:43:53 +0200 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2014-10-25 07:56:24 +0200 |
commit | ec511545ef791577ed9dd055e3b2d6d926b85daf (patch) | |
tree | c579a73d0960f8b0d45f72a75a0ce9957265799b | |
parent | 89cbb0638e9b7ba6fab02558f47a29f144df1a19 (diff) | |
download | linux-ec511545ef791577ed9dd055e3b2d6d926b85daf.tar.gz linux-ec511545ef791577ed9dd055e3b2d6d926b85daf.tar.bz2 linux-ec511545ef791577ed9dd055e3b2d6d926b85daf.zip |
Bluetooth: Fix RFCOMM NSC response
rfcomm_send_nsc expects CR to be either 0 or 1 since it is later
passed to __mcc_type macro and shitfed. Unfortunatelly CR extracted
from received frame type was not sanitized and shifted value was passed
resulting in bogus response.
Note: shifted value was also passed to other functions but was used
only in if satements so this bug appears only for NSC case.
The CR bit in the value octet shall be set to the same value
as the CR bit in the type field octet of the not supported command
frame but the CR bit for NCS response should be set to 0 since it is
always a response.
This was affecting TC_RFC_BV_25_C PTS qualification test.
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
-rw-r--r-- | net/bluetooth/rfcomm/core.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c index af73bc3acb40..d0bbc737f162 100644 --- a/net/bluetooth/rfcomm/core.c +++ b/net/bluetooth/rfcomm/core.c @@ -78,7 +78,7 @@ static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s); #define __get_type(b) ((b & 0xef)) #define __test_ea(b) ((b & 0x01)) -#define __test_cr(b) ((b & 0x02)) +#define __test_cr(b) (!!(b & 0x02)) #define __test_pf(b) ((b & 0x10)) #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01) @@ -904,7 +904,7 @@ static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type) hdr->len = __len8(sizeof(*mcc) + 1); mcc = (void *) ptr; ptr += sizeof(*mcc); - mcc->type = __mcc_type(cr, RFCOMM_NSC); + mcc->type = __mcc_type(0, RFCOMM_NSC); mcc->len = __len8(1); /* Type that we didn't like */ |