Bluetooth: Fix potential NULL dereference in SMP channel setup
authorMarcel Holtmann <marcel@holtmann.org>
Tue, 17 Mar 2015 18:38:24 +0000 (11:38 -0700)
committerJohan Hedberg <johan.hedberg@intel.com>
Wed, 18 Mar 2015 06:30:03 +0000 (08:30 +0200)
When the allocation of the L2CAP channel for the BR/EDR security manager
fails, then the smp variable might be NULL. In that case do not try to
free the non-existing crypto contexts

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
net/bluetooth/smp.c

index 6a5afb9..1ec3f66 100644 (file)
@@ -3124,9 +3124,11 @@ static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
 create_chan:
        chan = l2cap_chan_create();
        if (!chan) {
-               crypto_free_blkcipher(smp->tfm_aes);
-               crypto_free_hash(smp->tfm_cmac);
-               kzfree(smp);
+               if (smp) {
+                       crypto_free_blkcipher(smp->tfm_aes);
+                       crypto_free_hash(smp->tfm_cmac);
+                       kzfree(smp);
+               }
                return ERR_PTR(-ENOMEM);
        }