* [PATCH] Bluetooth: Fix possible NULL pointer dereference in cmd_complete
@ 2011-02-28 13:09 Szymon Janc
2011-02-28 17:32 ` Gustavo F. Padovan
0 siblings, 1 reply; 2+ messages in thread
From: Szymon Janc @ 2011-02-28 13:09 UTC (permalink / raw)
To: linux-bluetooth; +Cc: par-gunnar.p.hjalmdahl, henrik.possung, Szymon Janc
It is now possible to create command complete event without specific
reply data by passing NULL as reply with len 0. Check pointer before
calling memcpy to avoid undefined behaviour.
---
net/bluetooth/mgmt.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 46c3edc..34f58f4 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -92,7 +92,9 @@ static int cmd_complete(struct sock *sk, u16 index, u16 cmd, void *rp,
ev = (void *) skb_put(skb, sizeof(*ev) + rp_len);
put_unaligned_le16(cmd, &ev->opcode);
- memcpy(ev->data, rp, rp_len);
+
+ if (rp)
+ memcpy(ev->data, rp, rp_len);
if (sock_queue_rcv_skb(sk, skb) < 0)
kfree_skb(skb);
--
1.7.0.4
on behalf of ST-Ericsson
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-02-28 17:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-28 13:09 [PATCH] Bluetooth: Fix possible NULL pointer dereference in cmd_complete Szymon Janc
2011-02-28 17:32 ` Gustavo F. Padovan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).