Bluetooth: Fix possible NULL pointer dereference in cmd_complete

It is now possible to create command complete event without specific reply data by passing NULL as reply with len 0. Check pointer before calling memcpy to avoid undefined behaviour. Signed-off-by: Szymon Janc <szymon.janc@tieto.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>

Bluetooth: Fix possible NULL pointer dereference in cmd_complete
It is now possible to create command complete event without specific reply data by passing NULL as reply with len 0. Check pointer before calling memcpy to avoid undefined behaviour. Signed-off-by: Szymon Janc <szymon.janc@tieto.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
8020c16a · Szymon Janc · Gustavo F. Padovan · 30e76272 · 8020c16a
Commit 8020c16a authored Feb 28, 2011 by Szymon Janc Committed by Gustavo F. Padovan Mar 01, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

net/bluetooth/mgmt.c net/bluetooth/mgmt.c +3 -1

No files found.
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -92,7 +92,9 @@ static int cmd_complete(struct sock *sk, u16 index, u16 cmd, void *rp,

 	ev = (void *) skb_put(skb, sizeof(*ev) + rp_len);
 	put_unaligned_le16(cmd, &ev->opcode);
-	memcpy(ev->data, rp, rp_len);
+
+	if (rp)
+		memcpy(ev->data, rp, rp_len);

 	if (sock_queue_rcv_skb(sk, skb) < 0)
 		kfree_skb(skb);