It appears that rfcomm_tty_write() does not check that the passed in TTY device_data is not NULL and also does not check that the RFCOMM DLC serial data link pointer is not NULL.
A kernel crash was observed whilst SLIP was bound to /dev/rfcomm0 but the /dev/rfcomm0 had subsequently disconnected. Unfortunately, SLIP attempted to write to the now non-existant RFCOMM TTY device which caused a NULL pointer dereference because the device_data no longer existed. Therefore, add NULL pointer checks for the dev and dlc pointers and output kernel error debug to show that NULL had been detected. Signed-off-by: Dean Jenkins <[email protected]> --- net/bluetooth/rfcomm/tty.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c index b6e44ad..56d28d1 100644 --- a/net/bluetooth/rfcomm/tty.c +++ b/net/bluetooth/rfcomm/tty.c @@ -761,12 +761,24 @@ static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp) static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, int count) { struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data; - struct rfcomm_dlc *dlc = dev->dlc; + struct rfcomm_dlc *dlc; struct sk_buff *skb; int err = 0, sent = 0, size; BT_DBG("tty %p count %d", tty, count); + if (!dev) { + BT_ERR("RFCOMM TTY device data structure does not exist"); + return -ENODEV; + } + + dlc = dev->dlc; + + if (!dlc) { + BT_ERR("RFCOMM serial data link does not exist"); + return -ENOLINK; + } + while (count) { size = min_t(uint, count, dlc->mtu); -- 1.8.1.5 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
