From 2c589c8338c80124a0cc4a4e8aa806fd93909f9e Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri, 29 Sep 2017 16:13:28 -0700
Subject: [PATCH] Bluetooth: bnep: bnep_add_connection() should verify that
 it's dealing with l2cap socket

same story as cmtp

Bug: 33982955
Change-Id: I60ce3e3b5a5a0e41ddaec155a0c6a46307eedeb7
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
---
 net/bluetooth/bnep/core.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index f5049219219..67710d4927a 100755
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -50,8 +50,8 @@
 #include <asm/unaligned.h>
 
 #include <net/bluetooth/bluetooth.h>
-#include <net/bluetooth/hci_core.h>
 #include <net/bluetooth/l2cap.h>
+#include <net/bluetooth/hci_core.h>
 
 #include "bnep.h"
 
@@ -563,6 +563,9 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
 	u8 dst[ETH_ALEN], src[ETH_ALEN];
 	int err;
 
+	if (!l2cap_is_socket(sock))
+		return -EBADFD;
+
 	BT_DBG("");
 
 	baswap((void *) dst, &bt_sk(sock->sk)->dst);