summaryrefslogtreecommitdiff
path: root/net/bluetooth/smp.c
diff options
context:
space:
mode:
authorJohan Hedberg <johan.hedberg@intel.com>2014-06-27 14:23:06 +0300
committerMarcel Holtmann <marcel@holtmann.org>2014-07-03 17:42:47 +0200
commit642ac7745a45904d2a7c2463a3a3e60dc097be04 (patch)
tree5d814c6133886cf700b1e7653c7c1a536149d540 /net/bluetooth/smp.c
parenta9999348e70ebaf5ceaad8f23611d40a6db1e3bc (diff)
downloadlwn-642ac7745a45904d2a7c2463a3a3e60dc097be04.tar.gz
lwn-642ac7745a45904d2a7c2463a3a3e60dc097be04.zip
Bluetooth: Fix missing check for SMP session in smp_user_confirm_reply
The smp_user_confirm_reply() function is called whenever user space sends a user confirmation reply mgmt command. In case of a misbehaving user space, or if the SMP session was removed by the time the command comes it is important that we return an appropriate error and do not try to access the non-existent SMP context. This patch adds the appropriate check for the HCI_CONN_LE_SMP_PEND flag before proceeding further. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth/smp.c')
-rw-r--r--net/bluetooth/smp.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 2566a3e43bb5..641ce8b69d2a 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -638,7 +638,7 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
BT_DBG("");
- if (!conn)
+ if (!conn || !test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
return -ENOTCONN;
smp = conn->smp_chan;