Linux bluetooth development
 help / color / mirror / Atom feed
* [PATCH] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
@ 2026-05-26  3:21 Zhao Dongdong
  2026-05-26  5:06 ` bluez.test.bot
  2026-05-26 17:50 ` [PATCH] " patchwork-bot+bluetooth
  0 siblings, 2 replies; 3+ messages in thread
From: Zhao Dongdong @ 2026-05-26  3:21 UTC (permalink / raw)
  To: marcel, luiz.dentz; +Cc: linux-bluetooth, Zhao Dongdong

From: Zhao Dongdong <zhaodongdong@kylinos.cn>

The skb_clone() function can return NULL if memory allocation fails.
send_mcast_pkt() calls skb_clone() without checking the return value, which
can lead to a NULL pointer dereference in send_pkt() when it dereferences
skb->data.
Add a NULL check after skb_clone() and skip the peer if the clone fails.

Fixes: 18722c247023 ("Bluetooth: Enable 6LoWPAN support for BT LE devices")
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
---
 net/bluetooth/6lowpan.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 2f03b780b40d..960a19b3e26d 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -486,6 +486,8 @@ static int send_mcast_pkt(struct sk_buff *skb, struct net_device *netdev)
 			int ret;
 
 			local_skb = skb_clone(skb, GFP_ATOMIC);
+			if (!local_skb)
+				continue;
 
 			BT_DBG("xmit %s to %pMR type %u IP %pI6c chan %p",
 			       netdev->name,
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-26 17:50 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-26  3:21 [PATCH] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() Zhao Dongdong
2026-05-26  5:06 ` bluez.test.bot
2026-05-26 17:50 ` [PATCH] " patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox