Message ID | 1371656071-27754-2-git-send-email-Dean_Jenkins@mentor.com |
---|---|
State | Changes Requested, archived |
Delegated to: | David Miller |
Headers | show |
On 06/19/2013 07:34 PM, Dean Jenkins wrote: > It appears that rfcomm_tty_write() does not check that the > passed in TTY device_data is not NULL and also does not check > that the RFCOMM DLC serial data link pointer is not NULL. > A kernel crash was observed whilst SLIP was bound to /dev/rfcomm0 > but the /dev/rfcomm0 had subsequently disconnected. Unfortunately, > SLIP attempted to write to the now non-existant RFCOMM TTY device > which caused a NULL pointer dereference because the device_data > no longer existed. > Therefore, add NULL pointer checks for the dev and dlc pointers > and output kernel error debug to show that NULL had been detected. > Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com> > --- > net/bluetooth/rfcomm/tty.c | 14 +++++++++++++- > 1 file changed, 13 insertions(+), 1 deletion(-) > diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c > index b6e44ad..56d28d1 100644 > --- a/net/bluetooth/rfcomm/tty.c > +++ b/net/bluetooth/rfcomm/tty.c > @@ -761,12 +761,24 @@ static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp) > static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, int count) > { > struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data; > - struct rfcomm_dlc *dlc = dev->dlc; > + struct rfcomm_dlc *dlc; > struct sk_buff *skb; > int err = 0, sent = 0, size; > > BT_DBG("tty %p count %d", tty, count); > > + if (!dev) { > + BT_ERR("RFCOMM TTY device data structure does not exist"); > + return -ENODEV; > + } > + > + dlc = dev->dlc; > + I don't think empty line is needed here. > + if (!dlc) { > + BT_ERR("RFCOMM serial data link does not exist"); > + return -ENOLINK; > + } > + WBR, Sergei -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c index b6e44ad..56d28d1 100644 --- a/net/bluetooth/rfcomm/tty.c +++ b/net/bluetooth/rfcomm/tty.c @@ -761,12 +761,24 @@ static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp) static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, int count) { struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data; - struct rfcomm_dlc *dlc = dev->dlc; + struct rfcomm_dlc *dlc; struct sk_buff *skb; int err = 0, sent = 0, size; BT_DBG("tty %p count %d", tty, count); + if (!dev) { + BT_ERR("RFCOMM TTY device data structure does not exist"); + return -ENODEV; + } + + dlc = dev->dlc; + + if (!dlc) { + BT_ERR("RFCOMM serial data link does not exist"); + return -ENOLINK; + } + while (count) { size = min_t(uint, count, dlc->mtu);
It appears that rfcomm_tty_write() does not check that the passed in TTY device_data is not NULL and also does not check that the RFCOMM DLC serial data link pointer is not NULL. A kernel crash was observed whilst SLIP was bound to /dev/rfcomm0 but the /dev/rfcomm0 had subsequently disconnected. Unfortunately, SLIP attempted to write to the now non-existant RFCOMM TTY device which caused a NULL pointer dereference because the device_data no longer existed. Therefore, add NULL pointer checks for the dev and dlc pointers and output kernel error debug to show that NULL had been detected. Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com> --- net/bluetooth/rfcomm/tty.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-)