* [bug report] Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
@ 2022-08-01 13:06 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2022-08-01 13:06 UTC (permalink / raw)
To: luiz.von.dentz; +Cc: linux-bluetooth
Hello Luiz Augusto von Dentz,
The patch d0be8347c623: "Bluetooth: L2CAP: Fix use-after-free caused
by l2cap_chan_put" from Jul 21, 2022, leads to the following Smatch
static checker warning:
net/bluetooth/l2cap_core.c:1977 l2cap_global_chan_by_psm()
error: we previously assumed 'c' could be null (see line 1996)
net/bluetooth/l2cap_core.c
1968 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1969 bdaddr_t *src,
1970 bdaddr_t *dst,
1971 u8 link_type)
1972 {
1973 struct l2cap_chan *c, *c1 = NULL;
1974
1975 read_lock(&chan_list_lock);
1976
--> 1977 list_for_each_entry(c, &chan_list, global_l) {
1978 if (state && c->state != state)
1979 continue;
1980
1981 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1982 continue;
1983
1984 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1985 continue;
1986
1987 if (c->psm == psm) {
1988 int src_match, dst_match;
1989 int src_any, dst_any;
1990
1991 /* Exact match. */
1992 src_match = !bacmp(&c->src, src);
1993 dst_match = !bacmp(&c->dst, dst);
1994 if (src_match && dst_match) {
1995 c = l2cap_chan_hold_unless_zero(c);
1996 if (!c)
1997 continue;
If "c" is NULL then this will crash on the continue statement. Should
it be list_for_each_entry_safe()?
1998
1999 read_unlock(&chan_list_lock);
2000 return c;
2001 }
2002
2003 /* Closest match */
2004 src_any = !bacmp(&c->src, BDADDR_ANY);
2005 dst_any = !bacmp(&c->dst, BDADDR_ANY);
2006 if ((src_match && dst_any) || (src_any && dst_match) ||
2007 (src_any && dst_any))
2008 c1 = c;
2009 }
2010 }
2011
2012 if (c1)
2013 c1 = l2cap_chan_hold_unless_zero(c1);
2014
2015 read_unlock(&chan_list_lock);
2016
2017 return c1;
2018 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-08-01 13:06 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-01 13:06 [bug report] Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.