From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Soenke Huster <soenke.huster@eknoes.de>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Ovidiu Panait <ovidiu.panait@eng.windriver.com>
Subject: [PATCH 5.15 15/20] Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt
Date: Fri, 3 Feb 2023 11:13:42 +0100 [thread overview]
Message-ID: <20230203101008.636068341@linuxfoundation.org> (raw)
In-Reply-To: <20230203101007.985835823@linuxfoundation.org>
From: Soenke Huster <soenke.huster@eknoes.de>
commit 3afee2118132e93e5f6fa636dfde86201a860ab3 upstream.
This event is just specified for SCO and eSCO link types.
On the reception of a HCI_Synchronous_Connection_Complete for a BDADDR
of an existing LE connection, LE link type and a status that triggers the
second case of the packet processing a NULL pointer dereference happens,
as conn->link is NULL.
Signed-off-by: Soenke Huster <soenke.huster@eknoes.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Ovidiu Panait <ovidiu.panait@eng.windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4415,6 +4415,19 @@ static void hci_sync_conn_complete_evt(s
struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
struct hci_conn *conn;
+ switch (ev->link_type) {
+ case SCO_LINK:
+ case ESCO_LINK:
+ break;
+ default:
+ /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
+ * for HCI_Synchronous_Connection_Complete is limited to
+ * either SCO or eSCO
+ */
+ bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
+ return;
+ }
+
BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
hci_dev_lock(hdev);
next prev parent reply other threads:[~2023-02-03 10:24 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-03 10:13 [PATCH 5.15 00/20] 5.15.92-rc1 review Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 01/20] ARM: dts: imx: Fix pca9547 i2c-mux node name Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 02/20] ARM: dts: vf610: Fix pca9548 i2c-mux node names Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 03/20] arm64: dts: freescale: Fix pca954x " Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 04/20] arm64: dts: imx8mq-thor96: fix no-mmc property for SDHCI Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 05/20] firmware: arm_scmi: Clear stale xfer->hdr.status Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 06/20] bpf: Skip task with pid=1 in send_signal_common() Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 07/20] erofs/zmap.c: Fix incorrect offset calculation Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 08/20] blk-cgroup: fix missing pd_online_fn() while activating policy Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 09/20] HID: playstation: sanity check DualSense calibration data Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 10/20] dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 11/20] cifs: fix return of uninitialized rc in dfs_cache_update_tgthint() Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 12/20] ext4: fix bad checksum after online resize Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 13/20] extcon: usbc-tusb320: fix kernel-doc warning Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 14/20] ACPI: processor idle: Practically limit "Dummy wait" workaround to old Intel systems Greg Kroah-Hartman
2023-02-03 10:13 ` Greg Kroah-Hartman [this message]
2023-02-03 10:13 ` [PATCH 5.15 16/20] tools: fix ARRAY_SIZE defines in tools and selftests hdrs Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 17/20] selftests/vm: remove ARRAY_SIZE define from individual tests Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 18/20] selftests: Provide local define of __cpuid_count() Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 19/20] net: fix NULL pointer in skb_segment_list Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 20/20] net: mctp: purge receive queues on sk destruction Greg Kroah-Hartman
2023-02-03 20:03 ` [PATCH 5.15 00/20] 5.15.92-rc1 review Florian Fainelli
2023-02-04 0:53 ` Shuah Khan
2023-02-04 1:50 ` Guenter Roeck
2023-02-04 2:03 ` Bagas Sanjaya
2023-02-04 8:31 ` Naresh Kamboju
2023-02-04 8:55 ` Ron Economos
2023-02-06 7:12 ` Greg Kroah-Hartman
2023-02-06 8:56 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230203101008.636068341@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=luiz.von.dentz@intel.com \
--cc=ovidiu.panait@eng.windriver.com \
--cc=patches@lists.linux.dev \
--cc=soenke.huster@eknoes.de \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox