Bluetooth: smp: Fix possible NULL dereference
authorAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Thu, 19 Jul 2012 14:03:43 +0000 (17:03 +0300)
committerGustavo Padovan <gustavo.padovan@collabora.co.uk>
Mon, 6 Aug 2012 18:19:37 +0000 (15:19 -0300)
smp_chan_create might return NULL so we need to check before
dereferencing smp.

Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
net/bluetooth/smp.c

index 16ef0dc85a0a87580c311563028cc567fa826bce..901a616c8083e22f5163f8bbd1613b1529c63519 100644 (file)
@@ -579,8 +579,11 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
 
        if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
                smp = smp_chan_create(conn);
+       else
+               smp = conn->smp_chan;
 
-       smp = conn->smp_chan;
+       if (!smp)
+               return SMP_UNSPECIFIED;
 
        smp->preq[0] = SMP_CMD_PAIRING_REQ;
        memcpy(&smp->preq[1], req, sizeof(*req));