Dear all,
hci_le_big_sync_established_evt() has a potential null-ptr-deref bug.
hci_le_big_sync_established_evt()
bis = hci_conn_hash_lookup_handle(hdev, handle);
if (!bis)
bis = hci_conn_add() <- could fail
/* ... */
bis = hci_conn_hash_lookup_handle(hdev, handle);
set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags); <- null-ptr-deref
There is a missing check after hci_conn_hash_lookup_handle(), which can
return NULL. Especially, if a prior hci_conn_add() fails than
hci_conn_hash_lookup_handle() will return NULL.
This patch fixes this by adding a check.
Thanks,
Sungwoo.
Signed-off-by: Sungwoo Kim <iam@xxxxxxxxxxxx>
---
net/bluetooth/hci_event.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4a27e4a17..d72d238c1 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -7037,6 +7037,8 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
u16 handle = le16_to_cpu(ev->bis[i]);
bis = hci_conn_hash_lookup_handle(hdev, handle);
+ if (!bis)
+ continue;
set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
hci_connect_cfm(bis, ev->status);
--
2.34.1
