Commit 7b005bd3 authored by Marcel Holtmann's avatar Marcel Holtmann

[Bluetooth] Fix NULL pointer dereferences of the HCI socket

This patch fixes the two NULL pointer dereferences found by the sfuzz
tool from Ilja van Sprundel. The first one was a call of getsockname()
for an unbound socket and the second was calling accept() while this
operation isn't implemented for the HCI socket interface.
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 56f3a40a
...@@ -143,13 +143,15 @@ void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb) ...@@ -143,13 +143,15 @@ void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
static int hci_sock_release(struct socket *sock) static int hci_sock_release(struct socket *sock)
{ {
struct sock *sk = sock->sk; struct sock *sk = sock->sk;
struct hci_dev *hdev = hci_pi(sk)->hdev; struct hci_dev *hdev;
BT_DBG("sock %p sk %p", sock, sk); BT_DBG("sock %p sk %p", sock, sk);
if (!sk) if (!sk)
return 0; return 0;
hdev = hci_pi(sk)->hdev;
bt_sock_unlink(&hci_sk_list, sk); bt_sock_unlink(&hci_sk_list, sk);
if (hdev) { if (hdev) {
...@@ -311,14 +313,18 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, int *add ...@@ -311,14 +313,18 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, int *add
{ {
struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr; struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
struct sock *sk = sock->sk; struct sock *sk = sock->sk;
struct hci_dev *hdev = hci_pi(sk)->hdev;
BT_DBG("sock %p sk %p", sock, sk); BT_DBG("sock %p sk %p", sock, sk);
if (!hdev)
return -EBADFD;
lock_sock(sk); lock_sock(sk);
*addr_len = sizeof(*haddr); *addr_len = sizeof(*haddr);
haddr->hci_family = AF_BLUETOOTH; haddr->hci_family = AF_BLUETOOTH;
haddr->hci_dev = hci_pi(sk)->hdev->id; haddr->hci_dev = hdev->id;
release_sock(sk); release_sock(sk);
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment