diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2014-12-19 01:20:57 -0500 |
|---|---|---|
| committer | Marcel Holtmann <marcel@holtmann.org> | 2014-12-19 07:40:07 -0500 |
| commit | 51bda2bca53b265715ca1852528f38dc67429d9a (patch) | |
| tree | 2e8721c2ce2556a9d4d636f4b5497af938f7b4e2 /net | |
| parent | 004fa5ed08cc5d3188db42c05d6b80feaae004c2 (diff) | |
Bluetooth: hidp_connection_add() unsafe use of l2cap_pi()
it's OK after we'd verified the sockets, but not before that.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/bluetooth/hidp/core.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index cc25d0b74b36..07348e142f16 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c | |||
| @@ -1314,13 +1314,14 @@ int hidp_connection_add(struct hidp_connadd_req *req, | |||
| 1314 | { | 1314 | { |
| 1315 | struct hidp_session *session; | 1315 | struct hidp_session *session; |
| 1316 | struct l2cap_conn *conn; | 1316 | struct l2cap_conn *conn; |
| 1317 | struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan; | 1317 | struct l2cap_chan *chan; |
| 1318 | int ret; | 1318 | int ret; |
| 1319 | 1319 | ||
| 1320 | ret = hidp_verify_sockets(ctrl_sock, intr_sock); | 1320 | ret = hidp_verify_sockets(ctrl_sock, intr_sock); |
| 1321 | if (ret) | 1321 | if (ret) |
| 1322 | return ret; | 1322 | return ret; |
| 1323 | 1323 | ||
| 1324 | chan = l2cap_pi(ctrl_sock->sk)->chan; | ||
| 1324 | conn = NULL; | 1325 | conn = NULL; |
| 1325 | l2cap_chan_lock(chan); | 1326 | l2cap_chan_lock(chan); |
| 1326 | if (chan->conn) | 1327 | if (chan->conn) |