From: johan.hedberg@gmail.com
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH 5/6] Bluetooth: Fix missing check for SMP session in smp_user_confirm_reply
Date: Fri, 27 Jun 2014 14:23:06 +0300 [thread overview]
Message-ID: <1403868187-19396-6-git-send-email-johan.hedberg@gmail.com> (raw)
In-Reply-To: <1403868187-19396-1-git-send-email-johan.hedberg@gmail.com>
From: Johan Hedberg <johan.hedberg@intel.com>
The smp_user_confirm_reply() function is called whenever user space
sends a user confirmation reply mgmt command. In case of a misbehaving
user space, or if the SMP session was removed by the time the command
comes it is important that we return an appropriate error and do not try
to access the non-existent SMP context. This patch adds the appropriate
check for the HCI_CONN_LE_SMP_PEND flag before proceeding further.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
net/bluetooth/smp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 2566a3e43bb5..641ce8b69d2a 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -638,7 +638,7 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
BT_DBG("");
- if (!conn)
+ if (!conn || !test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
return -ENOTCONN;
smp = conn->smp_chan;
--
1.9.3
next prev parent reply other threads:[~2014-06-27 11:23 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-27 11:23 [PATCH 0/6] Bluetooth: Various SMP cleanups & fixes johan.hedberg
2014-06-27 11:23 ` [PATCH 1/6] Bluetooth: Fix missing hdev locking in smp_cmd_ident_addr_info johan.hedberg
2014-06-27 11:23 ` [PATCH 2/6] Bluetooth: Add dedicated AES instance for each SMP context johan.hedberg
2014-06-27 11:23 ` [PATCH 3/6] Bluetooth: Update SMP crypto functions to take the " johan.hedberg
2014-06-27 11:23 ` [PATCH 4/6] Bluetooth: Remove unnecessary hci_dev_unlock for smp_user_confirm_reply johan.hedberg
2014-06-27 11:23 ` johan.hedberg [this message]
2014-06-27 11:23 ` [PATCH 6/6] Bluetooth: Remove unnecessary hcon->smp_conn variable johan.hedberg
2014-06-27 11:40 ` [PATCH 0/6] Bluetooth: Various SMP cleanups & fixes Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1403868187-19396-6-git-send-email-johan.hedberg@gmail.com \
--to=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).