Bluetooth: Fix possible NULL pointer dereference

Checking conn->pending_sec_level if there is no connection leads to potential null pointer dereference. Don't process pin_code_request_event at all if no connection exists. Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@gmail.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
author: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com> 2011-09-23 04:01:30 -0400
committer: Gustavo F. Padovan <padovan@profusion.mobi> 2011-09-29 14:23:58 -0400
commit: b6f98044a6cbeba8234a3d433d715e9ef36880c4 (patch)
tree: 0e518c0723f132eb05c291e53b631884bdf1596d /net/bluetooth/hci_event.c
parent: 67c9e840a098fa62c0b464387160ff8f52a7ef4a (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 35083f2aa2ea..7390ba9d4f6e 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2174,7 +2174,10 @@ static inline void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff
        hci_dev_lock(hdev);
        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
-        if (conn && conn->state == BT_CONNECTED) {
+        if (!conn)
+                goto unlock;
+        if (conn->state == BT_CONNECTED) {
                hci_conn_hold(conn);
                conn->disc_timeout = HCI_PAIRING_TIMEOUT;
                hci_conn_put(conn);
@@ -2194,6 +2197,7 @@ static inline void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff
                mgmt_pin_code_request(hdev->id, &ev->bdaddr, secure);
        }
+unlock:
        hci_dev_unlock(hdev);
 }
author	Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>	2011-09-23 04:01:30 -0400
committer	Gustavo F. Padovan <padovan@profusion.mobi>	2011-09-29 14:23:58 -0400
commit	b6f98044a6cbeba8234a3d433d715e9ef36880c4 (patch)
tree	0e518c0723f132eb05c291e53b631884bdf1596d /net/bluetooth/hci_event.c
parent	67c9e840a098fa62c0b464387160ff8f52a7ef4a (diff)