diff options
author | Szymon Janc <szymon.janc@tieto.com> | 2011-02-28 14:09:50 +0100 |
---|---|---|
committer | Gustavo F. Padovan <padovan@profusion.mobi> | 2011-03-01 22:18:17 -0300 |
commit | 8020c16a6c9fc8d6a5217be8d005f2fc558f6ab5 (patch) | |
tree | 1abf93e525caff365c8447f44bb985d5e6b2b6bc /net/bluetooth/mgmt.c | |
parent | 30e7627219f985cd17a1ac24e0163ebcfb1277bf (diff) | |
download | op-kernel-dev-8020c16a6c9fc8d6a5217be8d005f2fc558f6ab5.zip op-kernel-dev-8020c16a6c9fc8d6a5217be8d005f2fc558f6ab5.tar.gz |
Bluetooth: Fix possible NULL pointer dereference in cmd_complete
It is now possible to create command complete event without specific
reply data by passing NULL as reply with len 0. Check pointer before
calling memcpy to avoid undefined behaviour.
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Diffstat (limited to 'net/bluetooth/mgmt.c')
-rw-r--r-- | net/bluetooth/mgmt.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 46c3edc..34f58f4 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -92,7 +92,9 @@ static int cmd_complete(struct sock *sk, u16 index, u16 cmd, void *rp, ev = (void *) skb_put(skb, sizeof(*ev) + rp_len); put_unaligned_le16(cmd, &ev->opcode); - memcpy(ev->data, rp, rp_len); + + if (rp) + memcpy(ev->data, rp, rp_len); if (sock_queue_rcv_skb(sk, skb) < 0) kfree_skb(skb); |