Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b6f98044 authored by Waldemar Rymarkiewicz's avatar Waldemar Rymarkiewicz Committed by Gustavo Padovan
Browse files

Bluetooth: Fix possible NULL pointer dereference 



Checking conn->pending_sec_level if there is no connection leads to potential
null pointer dereference. Don't process pin_code_request_event at all if no
connection exists.

Signed-off-by: default avatarWaldemar Rymarkiewicz <waldemar.rymarkiewicz@gmail.com>
Acked-by: default avatarMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: default avatarGustavo F. Padovan <padovan@profusion.mobi>
parent 67c9e840

net/bluetooth/hci_event.c

+5 −1
Original line number Diff line number Diff line
@@ -2174,7 +2174,10 @@ static inline void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff 
	hci_dev_lock(hdev);



	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);

	if (conn && conn->state == BT_CONNECTED) {

	if (!conn)

		goto unlock;



	if (conn->state == BT_CONNECTED) {

		hci_conn_hold(conn);

		conn->disc_timeout = HCI_PAIRING_TIMEOUT;

		hci_conn_put(conn);
@@ -2194,6 +2197,7 @@ static inline void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff 
		mgmt_pin_code_request(hdev->id, &ev->bdaddr, secure);

	}



unlock:

	hci_dev_unlock(hdev);

}