commit 7b005bd34c895ebeefd1c62f90a329730b88946b
author Marcel Holtmann <marcel@holtmann.org> Mon Feb 13 11:40:03 2006 +0100
committer Marcel Holtmann <marcel@holtmann.org> Mon Feb 13 11:40:03 2006 +0100
tree 7a7143c1b29b902122fe5e17a10ad4cb2ec66291
parent 56f3a40a5e7586043260669cc794e56fa58339e1

[Bluetooth] Fix NULL pointer dereferences of the HCI socket

This patch fixes the two NULL pointer dereferences found by the sfuzz
tool from Ilja van Sprundel. The first one was a call of getsockname()
for an unbound socket and the second was calling accept() while this
operation isn't implemented for the HCI socket interface.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

net/bluetooth/hci_sock.c

diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index bdb6458..97bdec7 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -143,13 +143,15 @@
 static int hci_sock_release(struct socket *sock)
 {
 	struct sock *sk = sock->sk;
-	struct hci_dev *hdev = hci_pi(sk)->hdev;
+	struct hci_dev *hdev;
 
 	BT_DBG("sock %p sk %p", sock, sk);
 
 	if (!sk)
 		return 0;
 
+	hdev = hci_pi(sk)->hdev;
+
 	bt_sock_unlink(&hci_sk_list, sk);
 
 	if (hdev) {
@@ -311,14 +313,18 @@
 {
 	struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
 	struct sock *sk = sock->sk;
+	struct hci_dev *hdev = hci_pi(sk)->hdev;
 
 	BT_DBG("sock %p sk %p", sock, sk);
 
+	if (!hdev)
+		return -EBADFD;
+
 	lock_sock(sk);
 
 	*addr_len = sizeof(*haddr);
 	haddr->hci_family = AF_BLUETOOTH;
-	haddr->hci_dev    = hci_pi(sk)->hdev->id;
+	haddr->hci_dev    = hdev->id;
 
 	release_sock(sk);
 	return 0;