summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSzymon Janc <szymon.janc@tieto.com>2014-10-13 11:43:53 +0200
committerMarcel Holtmann <marcel@holtmann.org>2014-10-25 07:56:24 +0200
commitec511545ef791577ed9dd055e3b2d6d926b85daf (patch)
treec579a73d0960f8b0d45f72a75a0ce9957265799b
parent89cbb0638e9b7ba6fab02558f47a29f144df1a19 (diff)
downloadlinux-ec511545ef791577ed9dd055e3b2d6d926b85daf.tar.gz
linux-ec511545ef791577ed9dd055e3b2d6d926b85daf.tar.bz2
linux-ec511545ef791577ed9dd055e3b2d6d926b85daf.zip
Bluetooth: Fix RFCOMM NSC response
rfcomm_send_nsc expects CR to be either 0 or 1 since it is later passed to __mcc_type macro and shitfed. Unfortunatelly CR extracted from received frame type was not sanitized and shifted value was passed resulting in bogus response. Note: shifted value was also passed to other functions but was used only in if satements so this bug appears only for NSC case. The CR bit in the value octet shall be set to the same value as the CR bit in the type field octet of the not supported command frame but the CR bit for NCS response should be set to 0 since it is always a response. This was affecting TC_RFC_BV_25_C PTS qualification test. Signed-off-by: Szymon Janc <szymon.janc@tieto.com> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
-rw-r--r--net/bluetooth/rfcomm/core.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index af73bc3acb40..d0bbc737f162 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -78,7 +78,7 @@ static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
#define __get_type(b) ((b & 0xef))
#define __test_ea(b) ((b & 0x01))
-#define __test_cr(b) ((b & 0x02))
+#define __test_cr(b) (!!(b & 0x02))
#define __test_pf(b) ((b & 0x10))
#define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
@@ -904,7 +904,7 @@ static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
hdr->len = __len8(sizeof(*mcc) + 1);
mcc = (void *) ptr; ptr += sizeof(*mcc);
- mcc->type = __mcc_type(cr, RFCOMM_NSC);
+ mcc->type = __mcc_type(0, RFCOMM_NSC);
mcc->len = __len8(1);
/* Type that we didn't like */