All of lore.kernel.org
 help / color / mirror / Atom feed
* [bug report] Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
@ 2022-08-01 13:06 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2022-08-01 13:06 UTC (permalink / raw)
  To: luiz.von.dentz; +Cc: linux-bluetooth

Hello Luiz Augusto von Dentz,

The patch d0be8347c623: "Bluetooth: L2CAP: Fix use-after-free caused
by l2cap_chan_put" from Jul 21, 2022, leads to the following Smatch
static checker warning:

	net/bluetooth/l2cap_core.c:1977 l2cap_global_chan_by_psm()
	error: we previously assumed 'c' could be null (see line 1996)

net/bluetooth/l2cap_core.c
    1968 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
    1969                                                    bdaddr_t *src,
    1970                                                    bdaddr_t *dst,
    1971                                                    u8 link_type)
    1972 {
    1973         struct l2cap_chan *c, *c1 = NULL;
    1974 
    1975         read_lock(&chan_list_lock);
    1976 
--> 1977         list_for_each_entry(c, &chan_list, global_l) {
    1978                 if (state && c->state != state)
    1979                         continue;
    1980 
    1981                 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
    1982                         continue;
    1983 
    1984                 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
    1985                         continue;
    1986 
    1987                 if (c->psm == psm) {
    1988                         int src_match, dst_match;
    1989                         int src_any, dst_any;
    1990 
    1991                         /* Exact match. */
    1992                         src_match = !bacmp(&c->src, src);
    1993                         dst_match = !bacmp(&c->dst, dst);
    1994                         if (src_match && dst_match) {
    1995                                 c = l2cap_chan_hold_unless_zero(c);
    1996                                 if (!c)
    1997                                         continue;

If "c" is NULL then this will crash on the continue statement.  Should
it be list_for_each_entry_safe()?

    1998 
    1999                                 read_unlock(&chan_list_lock);
    2000                                 return c;
    2001                         }
    2002 
    2003                         /* Closest match */
    2004                         src_any = !bacmp(&c->src, BDADDR_ANY);
    2005                         dst_any = !bacmp(&c->dst, BDADDR_ANY);
    2006                         if ((src_match && dst_any) || (src_any && dst_match) ||
    2007                             (src_any && dst_any))
    2008                                 c1 = c;
    2009                 }
    2010         }
    2011 
    2012         if (c1)
    2013                 c1 = l2cap_chan_hold_unless_zero(c1);
    2014 
    2015         read_unlock(&chan_list_lock);
    2016 
    2017         return c1;
    2018 }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2022-08-01 13:06 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-01 13:06 [bug report] Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.