Bluetooth: Fix out of scope variable access in hci_sock_cmsg()
authorJohann Felix Soden <johfel@users.sourceforge.net>
Mon, 15 Feb 2010 21:23:48 +0000 (22:23 +0100)
committerMarcel Holtmann <marcel@holtmann.org>
Sun, 28 Feb 2010 08:47:30 +0000 (00:47 -0800)
The pointer data can point to the variable ctv.
Access to data happens when ctv is already out of scope.

Signed-off-by: Johann Felix Soden <johfel@users.sourceforge.net>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
net/bluetooth/hci_sock.c

index 688cfebfbee0d2ec6aed49647637291d2dd60a55..38f08f6b86f6b1f4a4b8c0305e91746e0b42affc 100644 (file)
@@ -329,6 +329,9 @@ static inline void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, struct sk_
        }
 
        if (mask & HCI_CMSG_TSTAMP) {
+#ifdef CONFIG_COMPAT
+               struct compat_timeval ctv;
+#endif
                struct timeval tv;
                void *data;
                int len;
@@ -339,7 +342,6 @@ static inline void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, struct sk_
                len = sizeof(tv);
 #ifdef CONFIG_COMPAT
                if (msg->msg_flags & MSG_CMSG_COMPAT) {
-                       struct compat_timeval ctv;
                        ctv.tv_sec = tv.tv_sec;
                        ctv.tv_usec = tv.tv_usec;
                        data = &ctv;