提交 8020c16a 编写于 作者: S Szymon Janc 提交者: Gustavo F. Padovan

Bluetooth: Fix possible NULL pointer dereference in cmd_complete

It is now possible to create command complete event without specific
reply data by passing NULL as reply with len 0. Check pointer before
calling memcpy to avoid undefined behaviour.
Signed-off-by: NSzymon Janc <szymon.janc@tieto.com>
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
上级 30e76272
...@@ -92,7 +92,9 @@ static int cmd_complete(struct sock *sk, u16 index, u16 cmd, void *rp, ...@@ -92,7 +92,9 @@ static int cmd_complete(struct sock *sk, u16 index, u16 cmd, void *rp,
ev = (void *) skb_put(skb, sizeof(*ev) + rp_len); ev = (void *) skb_put(skb, sizeof(*ev) + rp_len);
put_unaligned_le16(cmd, &ev->opcode); put_unaligned_le16(cmd, &ev->opcode);
memcpy(ev->data, rp, rp_len);
if (rp)
memcpy(ev->data, rp, rp_len);
if (sock_queue_rcv_skb(sk, skb) < 0) if (sock_queue_rcv_skb(sk, skb) < 0)
kfree_skb(skb); kfree_skb(skb);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册