Bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf() (1dc2d785) · Commits · Mirrors / git.yoctoproject.org / linux-yocto

Commit 1dc2d785 authored Jan 22, 2019 by

Myungho Jung Committed by Marcel Holtmann Jan 22, 2019

Bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf()



h4_recv_buf() callers store the return value to socket buffer and
recursively pass the buffer to h4_recv_buf() without protection. So,
ERR_PTR returned from h4_recv_buf() can be dereferenced, if called again
before setting the socket buffer to NULL from previous error. Check if
skb is ERR_PTR in h4_recv_buf().

Reported-by:  <syzbot+017a32f149406df32703@syzkaller.appspotmail.com>
Signed-off-by: Myungho Jung <mhjungk@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

parent 37c589ec

Hide whitespace changes

Inline Side-by-side

Please register or to comment