diff options
author | Marcel Holtmann <marcel@holtmann.org> | 2006-02-13 05:40:03 -0500 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2006-02-13 05:40:03 -0500 |
commit | 7b005bd34c895ebeefd1c62f90a329730b88946b (patch) | |
tree | 7a7143c1b29b902122fe5e17a10ad4cb2ec66291 | |
parent | 56f3a40a5e7586043260669cc794e56fa58339e1 (diff) |
[Bluetooth] Fix NULL pointer dereferences of the HCI socket
This patch fixes the two NULL pointer dereferences found by the sfuzz
tool from Ilja van Sprundel. The first one was a call of getsockname()
for an unbound socket and the second was calling accept() while this
operation isn't implemented for the HCI socket interface.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-rw-r--r-- | net/bluetooth/hci_sock.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index bdb6458c6bd5..97bdec73d17e 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c | |||
@@ -143,13 +143,15 @@ void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb) | |||
143 | static int hci_sock_release(struct socket *sock) | 143 | static int hci_sock_release(struct socket *sock) |
144 | { | 144 | { |
145 | struct sock *sk = sock->sk; | 145 | struct sock *sk = sock->sk; |
146 | struct hci_dev *hdev = hci_pi(sk)->hdev; | 146 | struct hci_dev *hdev; |
147 | 147 | ||
148 | BT_DBG("sock %p sk %p", sock, sk); | 148 | BT_DBG("sock %p sk %p", sock, sk); |
149 | 149 | ||
150 | if (!sk) | 150 | if (!sk) |
151 | return 0; | 151 | return 0; |
152 | 152 | ||
153 | hdev = hci_pi(sk)->hdev; | ||
154 | |||
153 | bt_sock_unlink(&hci_sk_list, sk); | 155 | bt_sock_unlink(&hci_sk_list, sk); |
154 | 156 | ||
155 | if (hdev) { | 157 | if (hdev) { |
@@ -311,14 +313,18 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, int *add | |||
311 | { | 313 | { |
312 | struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr; | 314 | struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr; |
313 | struct sock *sk = sock->sk; | 315 | struct sock *sk = sock->sk; |
316 | struct hci_dev *hdev = hci_pi(sk)->hdev; | ||
314 | 317 | ||
315 | BT_DBG("sock %p sk %p", sock, sk); | 318 | BT_DBG("sock %p sk %p", sock, sk); |
316 | 319 | ||
320 | if (!hdev) | ||
321 | return -EBADFD; | ||
322 | |||
317 | lock_sock(sk); | 323 | lock_sock(sk); |
318 | 324 | ||
319 | *addr_len = sizeof(*haddr); | 325 | *addr_len = sizeof(*haddr); |
320 | haddr->hci_family = AF_BLUETOOTH; | 326 | haddr->hci_family = AF_BLUETOOTH; |
321 | haddr->hci_dev = hci_pi(sk)->hdev->id; | 327 | haddr->hci_dev = hdev->id; |
322 | 328 | ||
323 | release_sock(sk); | 329 | release_sock(sk); |
324 | return 0; | 330 | return 0; |