diff options
author | Gustavo A. R. Silva <gustavoars@kernel.org> | 2024-05-01 11:50:02 -0600 |
---|---|---|
committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2024-05-14 10:51:07 -0400 |
commit | 73b2652cbbb9993fe6a4340e6f5a2870d7ce6fb4 (patch) | |
tree | d7e3625284016be39bdf1b8a63e0d59cae71c31f /net | |
parent | d6bb8782b4b6ec14fb6e336f7f8c6a1ccce613b1 (diff) |
Bluetooth: hci_sync: Use cmd->num_cis instead of magic number
At the moment of the check, `cmd->num_cis` holds the value of 0x1f,
which is the max number of elements in the `cmd->cis[]` array at
declaration, which is 0x1f.
So, avoid using 0x1f directly, and instead use `cmd->num_cis`. Similarly
to this other patch[1].
Link: https://lore.kernel.org/linux-hardening/ZivaHUQyDDK9fXEk@neat/ [1]
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/bluetooth/hci_sync.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 406e36cacd79..813c11d61bca 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -6556,7 +6556,7 @@ int hci_le_create_cis_sync(struct hci_dev *hdev) cis->cis_handle = cpu_to_le16(conn->handle); aux_num_cis++; - if (aux_num_cis >= 0x1f) + if (aux_num_cis >= cmd->num_cis) break; } cmd->num_cis = aux_num_cis; |