Commit d08fd0e7 authored by Andrei Emeltchenko's avatar Andrei Emeltchenko Committed by Gustavo Padovan

Bluetooth: smp: Fix possible NULL dereference

smp_chan_create might return NULL so we need to check before
dereferencing smp.
Signed-off-by: default avatarAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: default avatarGustavo Padovan <gustavo.padovan@collabora.co.uk>
parent c3e7c0d9
...@@ -579,9 +579,12 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) ...@@ -579,9 +579,12 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
smp = smp_chan_create(conn); smp = smp_chan_create(conn);
else
smp = conn->smp_chan; smp = conn->smp_chan;
if (!smp)
return SMP_UNSPECIFIED;
smp->preq[0] = SMP_CMD_PAIRING_REQ; smp->preq[0] = SMP_CMD_PAIRING_REQ;
memcpy(&smp->preq[1], req, sizeof(*req)); memcpy(&smp->preq[1], req, sizeof(*req));
skb_pull(skb, sizeof(*req)); skb_pull(skb, sizeof(*req));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment