Commit ee802a49 authored by Paolo Abeni's avatar Paolo Abeni
Browse files

Merge tag 'for-net-2024-10-30' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth 

Luiz Augusto von Dentz says:

====================
bluetooth pull request for net:

 - hci: fix null-ptr-deref in hci_read_supported_codecs

* tag 'for-net-2024-10-30' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
  Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs
====================

Link: https://patch.msgid.link/20241030192205.38298-1-luiz.dentz@gmail.com


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parents d80a3091 1e67d864

net/bluetooth/hci_sync.c

+11 −7
Original line number Diff line number Diff line
@@ -206,6 +206,12 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen, 
		return ERR_PTR(err);

	}



	/* If command return a status event skb will be set to NULL as there are

	 * no parameters.

	 */

	if (!skb)

		return ERR_PTR(-ENODATA);



	return skb;

}

EXPORT_SYMBOL(__hci_cmd_sync_sk);
@@ -255,6 +261,11 @@ int __hci_cmd_sync_status_sk(struct hci_dev *hdev, u16 opcode, u32 plen, 
	u8 status;



	skb = __hci_cmd_sync_sk(hdev, opcode, plen, param, event, timeout, sk);



	/* If command return a status event, skb will be set to -ENODATA */

	if (skb == ERR_PTR(-ENODATA))

		return 0;



	if (IS_ERR(skb)) {

		if (!event)

			bt_dev_err(hdev, "Opcode 0x%4.4x failed: %ld", opcode,
@@ -262,13 +273,6 @@ int __hci_cmd_sync_status_sk(struct hci_dev *hdev, u16 opcode, u32 plen, 
		return PTR_ERR(skb);

	}



	/* If command return a status event skb will be set to NULL as there are

	 * no parameters, in case of failure IS_ERR(skb) would have be set to

	 * the actual error would be found with PTR_ERR(skb).

	 */

	if (!skb)

		return 0;



	status = skb->data[0];



	kfree_skb(skb);