Return-Path: MIME-Version: 1.0 In-Reply-To: <1431588488-16666-1-git-send-email-jaganath.k@samsung.com> References: <1431588488-16666-1-git-send-email-jaganath.k@samsung.com> Date: Sat, 6 Jun 2015 11:07:27 +0530 Message-ID: Subject: Fwd: [PATCH v1] Bluetooth: Fix potential NULL dereference From: Jaganath K To: Marcel Holtmann , linux-bluetooth@vger.kernel.org Content-Type: multipart/alternative; boundary=14dae9cc9492de68340517d2cd66 List-ID: --14dae9cc9492de68340517d2cd66 Content-Type: text/plain; charset=UTF-8 addr can be NULL and it should not be dereferenced before NULL checking. Signed-off-by: Jaganath Kanakkassery --- net/bluetooth/rfcomm/sock.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index 825e8fb..f9e9a81 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -334,16 +334,19 @@ static int rfcomm_sock_create(struct net *net, struct socket *sock, static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len) { - struct sockaddr_rc *sa = (struct sockaddr_rc *) addr; + struct sockaddr_rc sa; struct sock *sk = sock->sk; - int chan = sa->rc_channel; - int err = 0; - - BT_DBG("sk %p %pMR", sk, &sa->rc_bdaddr); + int len, err = 0; if (!addr || addr->sa_family != AF_BLUETOOTH) return -EINVAL; + memset(&sa, 0, sizeof(sa)); + len = min_t(unsigned int, sizeof(sa), addr_len); + memcpy(&sa, addr, len); + + BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr); + lock_sock(sk); if (sk->sk_state != BT_OPEN) { @@ -358,12 +361,13 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr write_lock(&rfcomm_sk_list.lock); - if (chan && __rfcomm_get_listen_sock_by_addr(chan, &sa->rc_bdaddr)) { + if (sa.rc_channel && + __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) { err = -EADDRINUSE; } else { /* Save source address */ - bacpy(&rfcomm_pi(sk)->src, &sa->rc_bdaddr); - rfcomm_pi(sk)->channel = chan; + bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr); + rfcomm_pi(sk)->channel = sa.rc_channel; sk->sk_state = BT_BOUND; } -- 1.7.9.5 -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html --14dae9cc9492de68340517d2cd66 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
addr can be NULL and it should = not be dereferenced before NULL checking.

Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
---
=C2=A0net/bluetooth/rfcomm/sock.c |=C2=A0 =C2=A020 ++++++++++++--------
=C2=A01 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 825e8fb..f9e9a81 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -334,16 +334,19 @@ static int rfcomm_sock_create(struct net *net, struct= socket *sock,

=C2=A0static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *add= r, int addr_len)
=C2=A0{
-=C2=A0 =C2=A0 =C2=A0 =C2=A0struct sockaddr_rc *sa =3D (struct sockaddr_rc = *) addr;
+=C2=A0 =C2=A0 =C2=A0 =C2=A0struct sockaddr_rc sa;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 struct sock *sk =3D sock->sk;
-=C2=A0 =C2=A0 =C2=A0 =C2=A0int chan =3D sa->rc_channel;
-=C2=A0 =C2=A0 =C2=A0 =C2=A0int err =3D 0;
-
-=C2=A0 =C2=A0 =C2=A0 =C2=A0BT_DBG("sk %p %pMR", sk, &sa->= rc_bdaddr);
+=C2=A0 =C2=A0 =C2=A0 =C2=A0int len, err =3D 0;

=C2=A0 =C2=A0 =C2=A0 =C2=A0 if (!addr || addr->sa_family !=3D AF_BLUETOO= TH)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return -EINVAL;

+=C2=A0 =C2=A0 =C2=A0 =C2=A0memset(&sa, 0, sizeof(sa));
+=C2=A0 =C2=A0 =C2=A0 =C2=A0len =3D min_t(unsigned int, sizeof(sa), addr_le= n);
+=C2=A0 =C2=A0 =C2=A0 =C2=A0memcpy(&sa, addr, len);
+
+=C2=A0 =C2=A0 =C2=A0 =C2=A0BT_DBG("sk %p %pMR", sk, &sa.rc_b= daddr);
+
=C2=A0 =C2=A0 =C2=A0 =C2=A0 lock_sock(sk);

=C2=A0 =C2=A0 =C2=A0 =C2=A0 if (sk->sk_state !=3D BT_OPEN) {
@@ -358,12 +361,13 @@ static int rfcomm_sock_bind(struct socket *sock, stru= ct sockaddr *addr, int addr

=C2=A0 =C2=A0 =C2=A0 =C2=A0 write_lock(&rfcomm_sk_list.lock);

-=C2=A0 =C2=A0 =C2=A0 =C2=A0if (chan && __rfcomm_get_listen_sock_by= _addr(chan, &sa->rc_bdaddr)) {
+=C2=A0 =C2=A0 =C2=A0 =C2=A0if (sa.rc_channel &&
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0__rfcomm_get_listen_sock_by_addr(= sa.rc_channel, &sa.rc_bdaddr)) {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 err =3D -EADDRINUSE= ;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 } else {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 /* Save source addr= ess */
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0bacpy(&rfcomm_p= i(sk)->src, &sa->rc_bdaddr);
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0rfcomm_pi(sk)->c= hannel =3D chan;
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0bacpy(&rfcomm_p= i(sk)->src, &sa.rc_bdaddr);
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0rfcomm_pi(sk)->c= hannel =3D sa.rc_channel;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 sk->sk_state =3D= BT_BOUND;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 }

--
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-blueto= oth" in
the body of a message to major= domo@vger.kernel.org
More majordomo info at=C2=A0 http://vger.kernel.org/majordomo-info.html

--14dae9cc9492de68340517d2cd66--