Commit 33f2d9d6 authored Aug 28, 2024 by Griffin Kroah-Hartman Committed by Zhengchao Shao Aug 28, 2024

Bluetooth: MGMT: Add error handling to pair_device()

mainline inclusion
from mainline-v6.11-rc5
commit 538fd3921afac97158d4177139a0ad39f056dbb2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAMK01
CVE: CVE-2024-43884

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=538fd3921afac97158d4177139a0ad39f056dbb2



-------------------------------------------

hci_conn_params_add() never checks for a NULL value and could lead to a NULL
pointer dereference causing a crash.

Fixed by adding error handling in the function.

Cc: Stable <stable@kernel.org>
Fixes: 5157b8a5 ("Bluetooth: Fix initializing conn_params in scan phase")
Signed-off-by: Griffin Kroah-Hartman <griffin@kroah.com>
Reported-by: Yiwei Zhang <zhan4630@purdue.edu>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>

parent cf3b556d

net/bluetooth/mgmt.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -2962,6 +2962,10 @@ static int pair_device(struct sock sk, struct hci_dev hdev, void *data,
		* will be kept and this function does nothing.
		*/
		p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
		if (!p) {
		err = -EIO;
		goto unlock;
		}

		if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
		p->auto_connect = HCI_AUTO_CONN_DISABLED;