Bluetooth: Fix potential NULL dereference in SMP channel setup

When the allocation of the L2CAP channel for the BR/EDR security manager fails, then the smp variable might be NULL. In that case do not try to free the non-existing crypto contexts Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
author: Marcel Holtmann 2015-03-17 19:38:24 +0100
committer: Johan Hedberg 2015-03-18 07:30:03 +0100
commit: 63511f6d5ba0c20850448991be297751ddb6798c (patch)
tree: dbc670d6296219f8fa8882b287ca0967944f2fc5 /net/bluetooth/smp.c
parent: Bluetooth: Add workaround for broken OS X legacy SMP pairing (diff)
download: kernel-qcow2-linux-63511f6d5ba0c20850448991be297751ddb6798c.tar.gz
kernel-qcow2-linux-63511f6d5ba0c20850448991be297751ddb6798c.tar.xz
kernel-qcow2-linux-63511f6d5ba0c20850448991be297751ddb6798c.zip
1 files changed, 5 insertions, 3 deletions
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 6a5afb972358..1ec3f66b5a74 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -3124,9 +3124,11 @@ static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
 create_chan:
 	chan = l2cap_chan_create();
 	if (!chan) {
-		crypto_free_blkcipher(smp->tfm_aes);
-		crypto_free_hash(smp->tfm_cmac);
-		kzfree(smp);
+		if (smp) {
+			crypto_free_blkcipher(smp->tfm_aes);
+			crypto_free_hash(smp->tfm_cmac);
+			kzfree(smp);
+		}
 		return ERR_PTR(-ENOMEM);
 	}
author	Marcel Holtmann	2015-03-17 19:38:24 +0100
committer	Johan Hedberg	2015-03-18 07:30:03 +0100
commit	63511f6d5ba0c20850448991be297751ddb6798c (patch)
tree	dbc670d6296219f8fa8882b287ca0967944f2fc5 /net/bluetooth/smp.c
parent	Bluetooth: Add workaround for broken OS X legacy SMP pairing (diff)
download	kernel-qcow2-linux-63511f6d5ba0c20850448991be297751ddb6798c.tar.gz kernel-qcow2-linux-63511f6d5ba0c20850448991be297751ddb6798c.tar.xz kernel-qcow2-linux-63511f6d5ba0c20850448991be297751ddb6798c.zip