diff options
author | Andrei Emeltchenko <andrei.emeltchenko@intel.com> | 2012-07-19 16:03:43 +0200 |
---|---|---|
committer | Gustavo Padovan <gustavo.padovan@collabora.co.uk> | 2012-08-06 20:19:37 +0200 |
commit | d08fd0e712a834d4abb869c0215a702e290bc51e (patch) | |
tree | 2f5a17eb8c1240b55027d39b9957bd17893abcf0 | |
parent | Bluetooth: Set name_state to unknown when entry name is empty (diff) | |
download | linux-d08fd0e712a834d4abb869c0215a702e290bc51e.tar.xz linux-d08fd0e712a834d4abb869c0215a702e290bc51e.zip |
Bluetooth: smp: Fix possible NULL dereference
smp_chan_create might return NULL so we need to check before
dereferencing smp.
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
-rw-r--r-- | net/bluetooth/smp.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index 16ef0dc85a0a..901a616c8083 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c @@ -579,8 +579,11 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) smp = smp_chan_create(conn); + else + smp = conn->smp_chan; - smp = conn->smp_chan; + if (!smp) + return SMP_UNSPECIFIED; smp->preq[0] = SMP_CMD_PAIRING_REQ; memcpy(&smp->preq[1], req, sizeof(*req)); |