From: Johan Hedberg <johan.hedberg@gmail.com>
To: Marcel Holtmann <marcel@holtmann.org>
Cc: Andrei Emeltchenko <Andrei.Emeltchenko.news@gmail.com>,
linux-bluetooth@vger.kernel.org
Subject: Re: [PATCH] bluetooth: Fix possible NULL dereference
Date: Wed, 3 Dec 2014 10:17:09 +0200 [thread overview]
Message-ID: <20141203081709.GA18422@t440s.lan> (raw)
In-Reply-To: <1CCB1571-FD46-4F46-9106-2FAD1ABB3960@holtmann.org>
Hi Marcel,
On Wed, Dec 03, 2014, Marcel Holtmann wrote:
> > conn might be NULL and would be dereferenced in conn_set_key()
> > ---
> > net/bluetooth/hci_event.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > index bd0a801..95f8057 100644
> > --- a/net/bluetooth/hci_event.c
> > +++ b/net/bluetooth/hci_event.c
> > @@ -3312,7 +3312,7 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
> > /* Update connection information since adding the key will have
> > * fixed up the type in the case of changed combination keys.
> > */
> > - if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
> > + if (conn && ev->key_type == HCI_LK_CHANGED_COMBINATION)
> > conn_set_key(conn, key->type, key->pin_len);
> >
> > mgmt_new_link_key(hdev, key, persistent);
>
> the more important question is why we are considering link keys from
> the controller for a device that we do not have a hci_conn object for.
>
> If this is for security mode 3, then we should handle security mode 3
> and then bail out of this function. Since security mode 3 means that
> we never get SSP or SC based keys. It is legacy pairing and does not
> need any special handling for debug keys or changed combination keys.
The existence of a hci_conn object in this case is not dependent on
whether we're in security mode 3 or not. The hci_conn should have either
way been created when we initiated the connection or received a
connection request (only speciality with sec mode 3 is when the conn
complete finally comes). So this particular fix is really only for a
coverity warning as far as I see (and some very broken controllers).
As for security mode 3 connections we would still want to make a note of
the key type and PIN length.
Johan
next prev parent reply other threads:[~2014-12-03 8:17 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-03 7:46 [PATCH] bluetooth: Fix possible NULL dereference Andrei Emeltchenko
2014-12-03 8:00 ` Marcel Holtmann
2014-12-03 8:17 ` Johan Hedberg [this message]
2014-12-03 8:31 ` Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141203081709.GA18422@t440s.lan \
--to=johan.hedberg@gmail.com \
--cc=Andrei.Emeltchenko.news@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.