[PATCH] Bluetooth: fix potential NULL ptr deref in dtl1_cs.c::dtl1_hci_send

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] Bluetooth: fix potential NULL ptr deref in dtl1_cs.c::dtl1_hci_send_frame()
@ 2006-05-07 18:50 Jesper Juhl
  2006-05-07 19:21 ` Marcel Holtmann
  0 siblings, 1 reply; 2+ messages in thread
From: Jesper Juhl @ 2006-05-07 18:50 UTC (permalink / raw)
  To: Marcel Holtmann; +Cc: linux-kernel, Jesper Juhl

There's a problem in drivers/bluetooth/dtl1_cs.c::dtl1_hci_send_frame()

If bt_skb_alloc() returns NULL, then skb_reserve(s, NSHL); will cause a
NULL pointer deref - ouch.
If we can't allocate the resources we require we need to tell the caller
by returning -ENOMEM.

Found by the coverity checker as bug #409

Patch is compile tested, but that's all, due to lack of hardware.


Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
---

 drivers/bluetooth/dtl1_cs.c |    3 +++
 1 files changed, 3 insertions(+)

--- linux-2.6.17-rc3-git12-orig/drivers/bluetooth/dtl1_cs.c	2006-05-07 03:25:16.000000000 +0200
+++ linux-2.6.17-rc3-git12/drivers/bluetooth/dtl1_cs.c	2006-05-07 20:43:01.000000000 +0200
@@ -423,6 +423,9 @@ static int dtl1_hci_send_frame(struct sk
 	nsh.len = skb->len;
 
 	s = bt_skb_alloc(NSHL + skb->len + 1, GFP_ATOMIC);
+	if (!s)
+		return -ENOMEM;
+
 	skb_reserve(s, NSHL);
 	memcpy(skb_put(s, skb->len), skb->data, skb->len);
 	if (skb->len & 0x0001)



^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] Bluetooth: fix potential NULL ptr deref in dtl1_cs.c::dtl1_hci_send_frame()
  2006-05-07 18:50 [PATCH] Bluetooth: fix potential NULL ptr deref in dtl1_cs.c::dtl1_hci_send_frame() Jesper Juhl
@ 2006-05-07 19:21 ` Marcel Holtmann
  0 siblings, 0 replies; 2+ messages in thread
From: Marcel Holtmann @ 2006-05-07 19:21 UTC (permalink / raw)
  To: Jesper Juhl; +Cc: linux-kernel

Hi Jesper,

> There's a problem in drivers/bluetooth/dtl1_cs.c::dtl1_hci_send_frame()
> 
> If bt_skb_alloc() returns NULL, then skb_reserve(s, NSHL); will cause a
> NULL pointer deref - ouch.
> If we can't allocate the resources we require we need to tell the caller
> by returning -ENOMEM.
> 
> Found by the coverity checker as bug #409
> 
> Patch is compile tested, but that's all, due to lack of hardware.
> 
> 
> Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

Regards

Marcel



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2006-05-07 19:20 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-05-07 18:50 [PATCH] Bluetooth: fix potential NULL ptr deref in dtl1_cs.c::dtl1_hci_send_frame() Jesper Juhl
2006-05-07 19:21 ` Marcel Holtmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).