2023-10-14 19:20:28

by Arkadiusz Bokowy

Subject: [PATCH BlueZ] btdev: Fix NULL pointer dereference

Move conn pointer dereference before the done label, because it is a
goto label in case of error handling - when the conn is NULL.
---
emulator/btdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/emulator/btdev.c b/emulator/btdev.c
index 3840c6150..c76b89db9 100644
--- a/emulator/btdev.c
+++ b/emulator/btdev.c
@@ -1327,6 +1327,8 @@ static int cmd_add_sco_conn(struct btdev *dev, const void *data, uint8_t len)
goto done;
}

+ pending_conn_del(dev, conn->link->dev);
+
cc.status = BT_HCI_ERR_SUCCESS;
memcpy(cc.bdaddr, conn->link->dev->bdaddr, 6);
cc.handle = cpu_to_le16(conn->handle);
@@ -1334,8 +1336,6 @@ static int cmd_add_sco_conn(struct btdev *dev, const void *data, uint8_t len)
cc.encr_mode = 0x00;

done:
- pending_conn_del(dev, conn->link->dev);
-
send_event(dev, BT_HCI_EVT_CONN_COMPLETE, &cc, sizeof(cc));

return 0;
--
2.39.2

2023-10-14 20:36:08

by bluez.test.bot

Subject: RE: [BlueZ] btdev: Fix NULL pointer dereference

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=793240

---Test result---

Test Summary:
CheckPatch PASS 0.67 seconds
GitLint PASS 0.33 seconds
BuildEll PASS 27.98 seconds
BluezMake PASS 805.35 seconds
MakeCheck PASS 11.51 seconds
MakeDistcheck PASS 175.45 seconds
CheckValgrind PASS 268.81 seconds
CheckSmatch WARNING 362.31 seconds
bluezmakeextell PASS 116.69 seconds
IncrementalBuild PASS 699.10 seconds
ScanBuild WARNING 1066.45 seconds

Details
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
emulator/btdev.c:420:29: warning: Variable length array is used.
##############################
Test: ScanBuild - WARNING
Desc: Run Scan Build
Output:
emulator/btdev.c:1083:10: warning: Although the value stored to 'conn' is used in the enclosing expression, the value is never actually read from 'conn'
while ((conn = queue_find(dev->conns, match_handle,
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
emulator/btdev.c:1456:13: warning: Access to field 'dev' results in a dereference of a null pointer (loaded from variable 'conn')
send_event(conn->dev, BT_HCI_EVT_AUTH_COMPLETE, &ev, sizeof(ev));
^~~~~~~~~
2 warnings generated.



---
Regards,
Linux Bluetooth