Bluetooth: Fix potential NULL dereference in SMP channel setup When the allocation of the L2CAP channel for the BR/EDR security manager fails, then the smp variable might be NULL. In that case do not try to free the non-existing crypto contexts Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>

commit: 63511f6d5ba0c20850448991be297751ddb6798c [log] [tgz]
author: Marcel Holtmann <marcel@holtmann.org> Tue Mar 17 11:38:24 2015 -0700
committer: Johan Hedberg <johan.hedberg@intel.com> Wed Mar 18 08:30:03 2015 +0200
tree: dbc670d6296219f8fa8882b287ca0967944f2fc5
parent: 19c5ce9c5ff80a26cba3afb3684d56539444ee40 [diff] [blame]
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 6a5afb9..1ec3f66 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c

@@ -3124,9 +3124,11 @@
 create_chan:
 	chan = l2cap_chan_create();
 	if (!chan) {
-		crypto_free_blkcipher(smp->tfm_aes);
-		crypto_free_hash(smp->tfm_cmac);
-		kzfree(smp);
+		if (smp) {
+			crypto_free_blkcipher(smp->tfm_aes);
+			crypto_free_hash(smp->tfm_cmac);
+			kzfree(smp);
+		}
 		return ERR_PTR(-ENOMEM);
 	}
commit	63511f6d5ba0c20850448991be297751ddb6798c	[log] [tgz]
author	Marcel Holtmann <marcel@holtmann.org>	Tue Mar 17 11:38:24 2015 -0700
committer	Johan Hedberg <johan.hedberg@intel.com>	Wed Mar 18 08:30:03 2015 +0200
tree	dbc670d6296219f8fa8882b287ca0967944f2fc5
parent	19c5ce9c5ff80a26cba3afb3684d56539444ee40 [diff] [blame]