summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarcel Holtmann <marcel@holtmann.org>2006-02-13 13:40:03 +0300
committerMarcel Holtmann <marcel@holtmann.org>2006-02-13 13:40:03 +0300
commit7b005bd34c895ebeefd1c62f90a329730b88946b (patch)
tree7a7143c1b29b902122fe5e17a10ad4cb2ec66291
parent56f3a40a5e7586043260669cc794e56fa58339e1 (diff)
downloadlinux-7b005bd34c895ebeefd1c62f90a329730b88946b.tar.xz
[Bluetooth] Fix NULL pointer dereferences of the HCI socket
This patch fixes the two NULL pointer dereferences found by the sfuzz tool from Ilja van Sprundel. The first one was a call of getsockname() for an unbound socket and the second was calling accept() while this operation isn't implemented for the HCI socket interface. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-rw-r--r--net/bluetooth/hci_sock.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index bdb6458c6bd5..97bdec73d17e 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -143,13 +143,15 @@ void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
static int hci_sock_release(struct socket *sock)
{
struct sock *sk = sock->sk;
- struct hci_dev *hdev = hci_pi(sk)->hdev;
+ struct hci_dev *hdev;
BT_DBG("sock %p sk %p", sock, sk);
if (!sk)
return 0;
+ hdev = hci_pi(sk)->hdev;
+
bt_sock_unlink(&hci_sk_list, sk);
if (hdev) {
@@ -311,14 +313,18 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, int *add
{
struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
struct sock *sk = sock->sk;
+ struct hci_dev *hdev = hci_pi(sk)->hdev;
BT_DBG("sock %p sk %p", sock, sk);
+ if (!hdev)
+ return -EBADFD;
+
lock_sock(sk);
*addr_len = sizeof(*haddr);
haddr->hci_family = AF_BLUETOOTH;
- haddr->hci_dev = hci_pi(sk)->hdev->id;
+ haddr->hci_dev = hdev->id;
release_sock(sk);
return 0;