Bluetooth: Fix possible NULL pointer dereference

Checking conn->pending_sec_level if there is no connection leads to potential
null pointer dereference. Don't process pin_code_request_event at all if no
connection exists.

Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 35083f2aa2ea0c0ae23608b4fa421f0646b9b08d..7390ba9d4f6eeecc54495844dba2dee7b0aa9fad 100644 (file)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2174,7 +2174,10 @@ static inline void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff
        hci_dev_lock(hdev);
 
        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
-       if (conn && conn->state == BT_CONNECTED) {
+       if (!conn)
+               goto unlock;
+
+       if (conn->state == BT_CONNECTED) {
                hci_conn_hold(conn);
                conn->disc_timeout = HCI_PAIRING_TIMEOUT;
                hci_conn_put(conn);
@@ -2194,6 +2197,7 @@ static inline void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff
                mgmt_pin_code_request(hdev->id, &ev->bdaddr, secure);
        }
 
+unlock:
        hci_dev_unlock(hdev);
 }