aboutsummaryrefslogtreecommitdiff
path: root/net/bluetooth/mgmt.c
diff options
context:
space:
mode:
authorSzymon Janc <szymon.janc@tieto.com>2011-02-28 14:09:50 +0100
committerGustavo F. Padovan <padovan@profusion.mobi>2011-03-01 22:18:17 -0300
commit8020c16a6c9fc8d6a5217be8d005f2fc558f6ab5 (patch)
tree1abf93e525caff365c8447f44bb985d5e6b2b6bc /net/bluetooth/mgmt.c
parent30e7627219f985cd17a1ac24e0163ebcfb1277bf (diff)
Bluetooth: Fix possible NULL pointer dereference in cmd_complete
It is now possible to create command complete event without specific reply data by passing NULL as reply with len 0. Check pointer before calling memcpy to avoid undefined behaviour. Signed-off-by: Szymon Janc <szymon.janc@tieto.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Diffstat (limited to 'net/bluetooth/mgmt.c')
-rw-r--r--net/bluetooth/mgmt.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 46c3edc72cd..34f58f4ad12 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -92,7 +92,9 @@ static int cmd_complete(struct sock *sk, u16 index, u16 cmd, void *rp,
ev = (void *) skb_put(skb, sizeof(*ev) + rp_len);
put_unaligned_le16(cmd, &ev->opcode);
- memcpy(ev->data, rp, rp_len);
+
+ if (rp)
+ memcpy(ev->data, rp, rp_len);
if (sock_queue_rcv_skb(sk, skb) < 0)
kfree_skb(skb);