Hi Johan,
On Thu, Jul 19, 2012 at 01:23:06PM +0300, Johan Hedberg wrote:
> Hi Andrei,
>
> On Thu, Jul 19, 2012, Andrei Emeltchenko wrote:
> > From: Andrei Emeltchenko <andrei.emeltchenko@xxxxxxxxx>
> >
> > hdev might be dereferenced in handler->func functions.
> >
> > Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@xxxxxxxxx>
> > ---
> > net/bluetooth/mgmt.c | 11 ++++++-----
> > 1 file changed, 6 insertions(+), 5 deletions(-)
> >
> > diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> > index 2a0f695..48a83c9 100644
> > --- a/net/bluetooth/mgmt.c
> > +++ b/net/bluetooth/mgmt.c
> > @@ -2801,14 +2801,15 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
> > goto done;
> > }
> >
> > - if (hdev)
> > + if (hdev) {
> > mgmt_init_hdev(sk, hdev);
> >
> > - cp = buf + sizeof(*hdr);
> > + cp = buf + sizeof(*hdr);
> >
> > - err = handler->func(sk, hdev, cp, len);
> > - if (err < 0)
> > - goto done;
> > + err = handler->func(sk, hdev, cp, len);
> > + if (err < 0)
> > + goto done;
> > + }
> >
> > err = msglen;
>
> Nack.
>
> hdev is supposed to be NULL for some of the commands/handlers
> (read_version, read_index_list, etc). With your change these mgmt
> commands couldn't be called anymore. There's also a check for this
> higher up in the mgmt_control function to ensure that hdev is not NULL
> for other handlers:
OK, though I do not like that division by command name.
>
> if ((hdev && opcode < MGMT_OP_READ_INFO) ||
> (!hdev && opcode >= MGMT_OP_READ_INFO)) {
> err = cmd_status(sk, index, opcode,
> MGMT_STATUS_INVALID_INDEX);
> goto done;
> }
>
Best regards
Andrei Emeltchenko
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
