This patch fixes the two NULL pointer dereferences found by the sfuzz
tool from Ilja van Sprundel. The first one was a call of getsockname()
for an unbound socket and the second was calling accept() while this
operation isn't implemented for the HCI socket interface.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
static int hci_sock_release(struct socket *sock)
{
struct sock *sk = sock->sk;
static int hci_sock_release(struct socket *sock)
{
struct sock *sk = sock->sk;
- struct hci_dev *hdev = hci_pi(sk)->hdev;
BT_DBG("sock %p sk %p", sock, sk);
if (!sk)
return 0;
BT_DBG("sock %p sk %p", sock, sk);
if (!sk)
return 0;
+ hdev = hci_pi(sk)->hdev;
+
bt_sock_unlink(&hci_sk_list, sk);
if (hdev) {
bt_sock_unlink(&hci_sk_list, sk);
if (hdev) {
{
struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
struct sock *sk = sock->sk;
{
struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
struct sock *sk = sock->sk;
+ struct hci_dev *hdev = hci_pi(sk)->hdev;
BT_DBG("sock %p sk %p", sock, sk);
BT_DBG("sock %p sk %p", sock, sk);
+ if (!hdev)
+ return -EBADFD;
+
lock_sock(sk);
*addr_len = sizeof(*haddr);
haddr->hci_family = AF_BLUETOOTH;
lock_sock(sk);
*addr_len = sizeof(*haddr);
haddr->hci_family = AF_BLUETOOTH;
- haddr->hci_dev = hci_pi(sk)->hdev->id;
+ haddr->hci_dev = hdev->id;
release_sock(sk);
return 0;
release_sock(sk);
return 0;