Skip to content
Permalink
Browse files Browse the repository at this point in the history
Bluetooth: Fix potential NULL dereference in RFCOMM bind callback
addr can be NULL and it should not be dereferenced before NULL checking.

Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
  • Loading branch information
Jaganath Kanakkassery authored and holtmann committed Jun 6, 2015
1 parent 6be09b4 commit 951b6a0
Showing 1 changed file with 12 additions and 8 deletions.
20 changes: 12 additions & 8 deletions net/bluetooth/rfcomm/sock.c
Expand Up @@ -334,16 +334,19 @@ static int rfcomm_sock_create(struct net *net, struct socket *sock,

static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
{
struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
struct sockaddr_rc sa;
struct sock *sk = sock->sk;
int chan = sa->rc_channel;
int err = 0;

BT_DBG("sk %p %pMR", sk, &sa->rc_bdaddr);
int len, err = 0;

if (!addr || addr->sa_family != AF_BLUETOOTH)
return -EINVAL;

memset(&sa, 0, sizeof(sa));
len = min_t(unsigned int, sizeof(sa), addr_len);
memcpy(&sa, addr, len);

BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);

lock_sock(sk);

if (sk->sk_state != BT_OPEN) {
Expand All @@ -358,12 +361,13 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr

write_lock(&rfcomm_sk_list.lock);

if (chan && __rfcomm_get_listen_sock_by_addr(chan, &sa->rc_bdaddr)) {
if (sa.rc_channel &&
__rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
err = -EADDRINUSE;
} else {
/* Save source address */
bacpy(&rfcomm_pi(sk)->src, &sa->rc_bdaddr);
rfcomm_pi(sk)->channel = chan;
bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
rfcomm_pi(sk)->channel = sa.rc_channel;
sk->sk_state = BT_BOUND;
}

Expand Down

0 comments on commit 951b6a0

Please sign in to comment.