Commit 4d6a2188 authored by Marcel Holtmann's avatar Marcel Holtmann Committed by David S. Miller

[Bluetooth] Fix uninitialized return value for RFCOMM sendmsg()

When calling send() with a zero length parameter on a RFCOMM socket
it returns a positive value. In this rare case the variable err is
used uninitialized and unfortunately its value is returned.
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent b6e557fb
...@@ -557,7 +557,6 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, ...@@ -557,7 +557,6 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
struct sock *sk = sock->sk; struct sock *sk = sock->sk;
struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
struct sk_buff *skb; struct sk_buff *skb;
int err;
int sent = 0; int sent = 0;
if (msg->msg_flags & MSG_OOB) if (msg->msg_flags & MSG_OOB)
...@@ -572,6 +571,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, ...@@ -572,6 +571,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
while (len) { while (len) {
size_t size = min_t(size_t, len, d->mtu); size_t size = min_t(size_t, len, d->mtu);
int err;
skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE, skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
msg->msg_flags & MSG_DONTWAIT, &err); msg->msg_flags & MSG_DONTWAIT, &err);
...@@ -582,6 +582,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, ...@@ -582,6 +582,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size); err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
if (err) { if (err) {
kfree_skb(skb); kfree_skb(skb);
if (sent == 0)
sent = err; sent = err;
break; break;
} }
...@@ -589,6 +590,8 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, ...@@ -589,6 +590,8 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
err = rfcomm_dlc_send(d, skb); err = rfcomm_dlc_send(d, skb);
if (err < 0) { if (err < 0) {
kfree_skb(skb); kfree_skb(skb);
if (sent == 0)
sent = err;
break; break;
} }
...@@ -598,7 +601,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, ...@@ -598,7 +601,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
release_sock(sk); release_sock(sk);
return sent ? sent : err; return sent;
} }
static long rfcomm_sock_data_wait(struct sock *sk, long timeo) static long rfcomm_sock_data_wait(struct sock *sk, long timeo)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment