Bluetooth: Properly check L2CAP config option output buffer length
Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.
Bug
1989825
Change-Id: Id158ece2176c4ac339a7232dfde8c47ce2241122
Cc: stable@vger.kernel.org
Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/
1558952
(cherry picked from commit
c005032a3ffe77437f6ebc704af377fc9bc46279)
Reviewed-on: https://git-master.nvidia.com/r/
1570529
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>