Return-Path: From: Waldemar Rymarkiewicz To: CC: Johan Hedberg , , Waldemar Rymarkiewicz Subject: [PATCH] Bluetooth: Fix possible NULL pointer dereference Date: Thu, 22 Sep 2011 07:58:12 +0200 Message-ID: <1316671092-4387-1-git-send-email-waldemar.rymarkiewicz@tieto.com> In-Reply-To: <20110921070804.GA5982@elgon.mountain> References: <20110921070804.GA5982@elgon.mountain> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-bluetooth-owner@vger.kernel.org List-ID: From: Waldemar Rymarkiewicz Checking conn->pending_sec_level if there is no connection leads to potential null pointer dereference. Don't process pin_code_request_event at all if no connection exists. Signed-off-by: Waldemar Rymarkiewicz --- net/bluetooth/hci_event.c | 30 ++++++++++++++++-------------- 1 files changed, 16 insertions(+), 14 deletions(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index a520787..41c2562 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -2175,24 +2175,26 @@ static inline void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff hci_dev_lock(hdev); conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); - if (conn && conn->state == BT_CONNECTED) { - hci_conn_hold(conn); - conn->disc_timeout = HCI_PAIRING_TIMEOUT; - hci_conn_put(conn); - } + if (conn) { + if (conn->state == BT_CONNECTED) { + hci_conn_hold(conn); + conn->disc_timeout = HCI_PAIRING_TIMEOUT; + hci_conn_put(conn); + } - if (!test_bit(HCI_PAIRABLE, &hdev->flags)) - hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, + if (!test_bit(HCI_PAIRABLE, &hdev->flags)) + hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, sizeof(ev->bdaddr), &ev->bdaddr); - else if (test_bit(HCI_MGMT, &hdev->flags)) { - u8 secure; + else if (test_bit(HCI_MGMT, &hdev->flags)) { + u8 secure; - if (conn->pending_sec_level == BT_SECURITY_HIGH) - secure = 1; - else - secure = 0; + if (conn->pending_sec_level == BT_SECURITY_HIGH) + secure = 1; + else + secure = 0; - mgmt_pin_code_request(hdev->id, &ev->bdaddr, secure); + mgmt_pin_code_request(hdev->id, &ev->bdaddr, secure); + } } hci_dev_unlock(hdev); -- 1.7.6.3