Bluetooth: Refactor read_ext_controller_info handler

There is no need to allocate heap for reply only to copy stack data to it. This also fix rp memory leak and missing hdev unlock if kmalloc failed. Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

Bluetooth: Refactor read_ext_controller_info handler
There is no need to allocate heap for reply only to copy stack data to it. This also fix rp memory leak and missing hdev unlock if kmalloc failed. Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
7d5c11da · Szymon Janc · Marcel Holtmann · 162f812f · 7d5c11da
Commit 7d5c11da authored Sep 19, 2016 by Szymon Janc Committed by Marcel Holtmann Sep 19, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 20 deletions

net/bluetooth/mgmt.c net/bluetooth/mgmt.c +16 -20

No files found.
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -881,42 +881,38 @@ static inline u16 eir_append_data(u8 *eir, u16 eir_len, u8 type, u8 *data,
 static int read_ext_controller_info(struct sock *sk, struct hci_dev *hdev,
 				    void *data, u16 data_len)
 {
-	struct mgmt_rp_read_ext_info *rp;
-	char buff[512];
+	char buf[512];
+	struct mgmt_rp_read_ext_info *rp = (void *)buf;
 	u16 eir_len = 0;
-	u8 name_len;
+	size_t name_len;

 	BT_DBG("sock %p %s", sk, hdev->name);

+	memset(&buf, 0, sizeof(buf));
+
 	hci_dev_lock(hdev);

+	bacpy(&rp->bdaddr, &hdev->bdaddr);
+
+	rp->version = hdev->hci_ver;
+	rp->manufacturer = cpu_to_le16(hdev->manufacturer);
+
+	rp->supported_settings = cpu_to_le32(get_supported_settings(hdev));
+	rp->current_settings = cpu_to_le32(get_current_settings(hdev));
+
 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
-		eir_len = eir_append_data(buff, eir_len,
-					  EIR_CLASS_OF_DEV,
+		eir_len = eir_append_data(rp->eir, eir_len, EIR_CLASS_OF_DEV,
 					  hdev->dev_class, 3);

 	name_len = strlen(hdev->dev_name);
-	eir_len = eir_append_data(buff, eir_len, EIR_NAME_COMPLETE,
+	eir_len = eir_append_data(rp->eir, eir_len, EIR_NAME_COMPLETE,
 				  hdev->dev_name, name_len);

 	name_len = strlen(hdev->short_name);
-	eir_len = eir_append_data(buff, eir_len, EIR_NAME_SHORT,
+	eir_len = eir_append_data(rp->eir, eir_len, EIR_NAME_SHORT,
 				  hdev->short_name, name_len);

-	rp = kzalloc(sizeof(*rp) + eir_len, GFP_KERNEL);
-	if (!rp)
-		return -ENOMEM;
-
 	rp->eir_len = cpu_to_le16(eir_len);
-	memcpy(rp->eir, buff, eir_len);
-
-	bacpy(&rp->bdaddr, &hdev->bdaddr);
-
-	rp->version = hdev->hci_ver;
-	rp->manufacturer = cpu_to_le16(hdev->manufacturer);
-
-	rp->supported_settings = cpu_to_le32(get_supported_settings(hdev));
-	rp->current_settings = cpu_to_le32(get_current_settings(hdev));

 	hci_dev_unlock(hdev);