diff options
author | Josef Kindberg <josef.kindberg@stericsson.com> | 2011-03-24 13:25:17 +0100 |
---|---|---|
committer | Jonas ABERG <jonas.aberg@stericsson.com> | 2011-03-25 14:22:27 +0100 |
commit | 798ec6f2127bc43ad65abc57b3a8aae444fc224b (patch) | |
tree | 4e71d1ae6369c77ea93db24f0bec5229cbc3869f /net | |
parent | 9d413c758812f5d31fbf11bf71c427f394e5d6de (diff) |
Bluetooth: fix oops in l2cap_connect_req
In error cases when the ACL is insecure or we fail to allocate a new
struct sock, we jump to the "response" label. If so, "sk" will be
null and the kernel crashes.
ST-Ericsson Linux next: Backport of d793fe8caa3911e6a1e826b45d4ee00d250cdec8
ST-Ericsson ID: 329716
ST-Ericsson FOSS-OUT ID: NA
Change-Id: Ib48588657a6135e10ddb6eccd86b7aa2c7c6ecfe
Reviewed-on: http://gerrit.lud.stericsson.com/gerrit/19016
Reviewed-by: Josef KINDBERG <josef.kindberg@stericsson.com>
Tested-by: Josef KINDBERG <josef.kindberg@stericsson.com>
Reviewed-by: Lukasz RYMANOWSKI <lukasz.rymanowski@stericsson.com>
Reviewed-by: Par-Gunnar HJALMDAHL <par-gunnar.p.hjalmdahl@stericsson.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/bluetooth/l2cap.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index d7365ba0ffc..048242f4a7c 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -2844,7 +2844,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd struct l2cap_chan_list *list = &conn->chan_list; struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; struct l2cap_conn_rsp rsp; - struct sock *parent, *uninitialized_var(sk); + struct sock *parent, *sk = NULL; int result, status = L2CAP_CS_NO_INFO; u16 dcid = 0, scid = __le16_to_cpu(req->scid); @@ -2976,7 +2976,7 @@ sendresp: L2CAP_INFO_REQ, sizeof(info), &info); } - if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) && + if (sk && !(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) && result == L2CAP_CR_SUCCESS) { u8 buf[128]; l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT; |