[Bluetooth] Fix NULL pointer dereferences of the HCI socket

This patch fixes the two NULL pointer dereferences found by the sfuzz tool from Ilja van Sprundel. The first one was a call of getsockname() for an unbound socket and the second was calling accept() while this operation isn't implemented for the HCI socket interface. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
git-mirror · Feb 13, 2006 · 7b005bd · 7b005bd
1 parent 56f3a40
commit 7b005bd
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
@@ -143,13 +143,15 @@ void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
 static int hci_sock_release(struct socket *sock)
 {
 	struct sock *sk = sock->sk;
-	struct hci_dev *hdev = hci_pi(sk)->hdev;
+	struct hci_dev *hdev;
 
 	BT_DBG("sock %p sk %p", sock, sk);
 
 	if (!sk)
 		return 0;
 
+	hdev = hci_pi(sk)->hdev;
+
 	bt_sock_unlink(&hci_sk_list, sk);
 
 	if (hdev) {
@@ -311,14 +313,18 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, int *add
 {
 	struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
 	struct sock *sk = sock->sk;
+	struct hci_dev *hdev = hci_pi(sk)->hdev;
 
 	BT_DBG("sock %p sk %p", sock, sk);
 
+	if (!hdev)
+		return -EBADFD;
+
 	lock_sock(sk);
 
 	*addr_len = sizeof(*haddr);
 	haddr->hci_family = AF_BLUETOOTH;
-	haddr->hci_dev    = hci_pi(sk)->hdev->id;
+	haddr->hci_dev    = hdev->id;
 
 	release_sock(sk);
 	return 0;