From: Johan Hedberg <johan.hedberg@xxxxxxxxx> The smp_user_confirm_reply() function is called whenever user space sends a user confirmation reply mgmt command. In case of a misbehaving user space, or if the SMP session was removed by the time the command comes it is important that we return an appropriate error and do not try to access the non-existent SMP context. This patch adds the appropriate check for the HCI_CONN_LE_SMP_PEND flag before proceeding further. Signed-off-by: Johan Hedberg <johan.hedberg@xxxxxxxxx> --- net/bluetooth/smp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index 2566a3e43bb5..641ce8b69d2a 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c @@ -638,7 +638,7 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) BT_DBG(""); - if (!conn) + if (!conn || !test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) return -ENOTCONN; smp = conn->smp_chan; -- 1.9.3 -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html