[Bluetooth] Fix NULL pointer dereferences of the HCI socket
This patch fixes the two NULL pointer dereferences found by the sfuzz tool from Ilja van Sprundel. The first one was a call of getsockname() for an unbound socket and the second was calling accept() while this operation isn't implemented for the HCI socket interface. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This commit is contained in:
parent
56f3a40a5e
commit
7b005bd34c
@ -143,13 +143,15 @@ void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
|
||||
static int hci_sock_release(struct socket *sock)
|
||||
{
|
||||
struct sock *sk = sock->sk;
|
||||
struct hci_dev *hdev = hci_pi(sk)->hdev;
|
||||
struct hci_dev *hdev;
|
||||
|
||||
BT_DBG("sock %p sk %p", sock, sk);
|
||||
|
||||
if (!sk)
|
||||
return 0;
|
||||
|
||||
hdev = hci_pi(sk)->hdev;
|
||||
|
||||
bt_sock_unlink(&hci_sk_list, sk);
|
||||
|
||||
if (hdev) {
|
||||
@ -311,14 +313,18 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, int *add
|
||||
{
|
||||
struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
|
||||
struct sock *sk = sock->sk;
|
||||
struct hci_dev *hdev = hci_pi(sk)->hdev;
|
||||
|
||||
BT_DBG("sock %p sk %p", sock, sk);
|
||||
|
||||
if (!hdev)
|
||||
return -EBADFD;
|
||||
|
||||
lock_sock(sk);
|
||||
|
||||
*addr_len = sizeof(*haddr);
|
||||
haddr->hci_family = AF_BLUETOOTH;
|
||||
haddr->hci_dev = hci_pi(sk)->hdev->id;
|
||||
haddr->hci_dev = hdev->id;
|
||||
|
||||
release_sock(sk);
|
||||
return 0;
|
||||
|
Loading…
Reference in New Issue
Block a user