Skip to content

Commit

Permalink
Bluetooth: Fix potential NULL dereference in SMP channel setup
Browse files Browse the repository at this point in the history 
When the allocation of the L2CAP channel for the BR/EDR security manager
fails, then the smp variable might be NULL. In that case do not try to
free the non-existing crypto contexts

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
  • Loading branch information
Marcel Holtmann authored and Johan Hedberg committed Mar 18, 2015
1 parent 19c5ce9 commit 63511f6
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions net/bluetooth/smp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3124,9 +3124,11 @@ static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
create_chan:
chan = l2cap_chan_create();
if (!chan) {
crypto_free_blkcipher(smp->tfm_aes);
crypto_free_hash(smp->tfm_cmac);
kzfree(smp);
if (smp) {
crypto_free_blkcipher(smp->tfm_aes);
crypto_free_hash(smp->tfm_cmac);
kzfree(smp);
}
return ERR_PTR(-ENOMEM);
}

Expand Down

0 comments on commit 63511f6

Please sign in to comment.