Bluetooth: Fix possible NULL pointer dereference

Checking conn->pending_sec_level if there is no connection leads to potential null pointer dereference. Don't process pin_code_request_event at all if no connection exists. Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@gmail.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
git-mirror · Sep 29, 2011 · b6f9804 · b6f9804
1 parent 67c9e84
commit b6f9804
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
@@ -2174,7 +2174,10 @@ static inline void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff
 	hci_dev_lock(hdev);
 
 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
-	if (conn && conn->state == BT_CONNECTED) {
+	if (!conn)
+		goto unlock;
+
+	if (conn->state == BT_CONNECTED) {
 		hci_conn_hold(conn);
 		conn->disc_timeout = HCI_PAIRING_TIMEOUT;
 		hci_conn_put(conn);
@@ -2194,6 +2197,7 @@ static inline void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff
 		mgmt_pin_code_request(hdev->id, &ev->bdaddr, secure);
 	}
 
+unlock:
 	hci_dev_unlock(hdev);
 }