From: Marcel Holtmann Date: Tue, 17 Mar 2015 18:38:24 +0000 (-0700) Subject: Bluetooth: Fix potential NULL dereference in SMP channel setup X-Git-Tag: firefly_0821_release~176^2~1974^2~69^2~62 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=63511f6d5ba0c20850448991be297751ddb6798c;p=firefly-linux-kernel-4.4.55.git Bluetooth: Fix potential NULL dereference in SMP channel setup When the allocation of the L2CAP channel for the BR/EDR security manager fails, then the smp variable might be NULL. In that case do not try to free the non-existing crypto contexts Reported-by: Dan Carpenter Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg --- diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index 6a5afb972358..1ec3f66b5a74 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c @@ -3124,9 +3124,11 @@ static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid) create_chan: chan = l2cap_chan_create(); if (!chan) { - crypto_free_blkcipher(smp->tfm_aes); - crypto_free_hash(smp->tfm_cmac); - kzfree(smp); + if (smp) { + crypto_free_blkcipher(smp->tfm_aes); + crypto_free_hash(smp->tfm_cmac); + kzfree(smp); + } return ERR_PTR(-ENOMEM); }