|
|
@@ -2334,7 +2334,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
|
|
|
|
|
|
/* Reject if config buffer is too small. */
|
|
|
len = cmd_len - sizeof(*req);
|
|
|
- if (chan->conf_len + len > sizeof(chan->conf_req)) {
|
|
|
+ if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
|
|
|
l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
|
|
|
l2cap_build_conf_rsp(chan, rsp,
|
|
|
L2CAP_CONF_REJECT, flags), rsp);
|
Dan Rosenberg