Bluetooth: Fix potential NULL dereference in SMP channel setup

When the allocation of the L2CAP channel for the BR/EDR security manager fails, then the smp variable might be NULL. In that case do not try to free the non-existing crypto contexts Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
author: Marcel Holtmann <marcel@holtmann.org> 2015-03-17 11:38:24 -0700
committer: Johan Hedberg <johan.hedberg@intel.com> 2015-03-18 08:30:03 +0200
commit: 63511f6d5ba0c20850448991be297751ddb6798c (patch)
tree: dbc670d6296219f8fa8882b287ca0967944f2fc5 /net
parent: 19c5ce9c5ff80a26cba3afb3684d56539444ee40 (diff)
download: linux-63511f6d5ba0c20850448991be297751ddb6798c.tar.gz
1 files changed, 5 insertions, 3 deletions
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 6a5afb972358..1ec3f66b5a74 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -3124,9 +3124,11 @@ static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
 create_chan:
 	chan = l2cap_chan_create();
 	if (!chan) {
-		crypto_free_blkcipher(smp->tfm_aes);
-		crypto_free_hash(smp->tfm_cmac);
-		kzfree(smp);
+		if (smp) {
+			crypto_free_blkcipher(smp->tfm_aes);
+			crypto_free_hash(smp->tfm_cmac);
+			kzfree(smp);
+		}
 		return ERR_PTR(-ENOMEM);
 	}
author	Marcel Holtmann <marcel@holtmann.org>	2015-03-17 11:38:24 -0700
committer	Johan Hedberg <johan.hedberg@intel.com>	2015-03-18 08:30:03 +0200
commit	63511f6d5ba0c20850448991be297751ddb6798c (patch)
tree	dbc670d6296219f8fa8882b287ca0967944f2fc5 /net
parent	19c5ce9c5ff80a26cba3afb3684d56539444ee40 (diff)
download	linux-63511f6d5ba0c20850448991be297751ddb6798c.tar.gz