From 831423ea1879244e746f39d7696ad4a66681f306 Mon Sep 17 00:00:00 2001 From: Hemant Gupta Date: Wed, 8 Jan 2014 12:42:13 +0530 Subject: [PATCH] Bluetooth: Fix to avoid NULL pointer dereferences This fix for avoiding NULL pointer dereferences: - Added check for state checking in btm_remove_acl function to avoid sending disconnect command if already in Disconnecting state. - Added NULL check for 'pin_code' in btif_dm_pin_reply function - Null check before accessing in BD interface layer configuration node variables. - Add NULL check before accessing p_bd_addr variable to avoid null pointer exception while referring to invalid memory. Change-Id: Ib7ed45b6a1692785a45224d739a564f767e5b10f --- btif/src/btif_config.c | 2 +- btif/src/btif_dm.c | 2 ++ stack/btm/btm_acl.c | 3 ++- stack/btm/btm_sec.c | 4 ++-- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/btif/src/btif_config.c b/btif/src/btif_config.c index 06035cf9b..33f023938 100644 --- a/btif/src/btif_config.c +++ b/btif/src/btif_config.c @@ -434,7 +434,7 @@ static cfg_node* find_add_node(cfg_node* p, const char* name) } else ADD_CHILD_COUNT(p, 1); } else node = &p->child[i]; - if(!node->name) + if(node && (!node->name)) node->name = strdup(name); return node; } diff --git a/btif/src/btif_dm.c b/btif/src/btif_dm.c index d3cc5f8b9..9f1caef7d 100644 --- a/btif/src/btif_dm.c +++ b/btif/src/btif_dm.c @@ -2059,6 +2059,8 @@ bt_status_t btif_dm_pin_reply( const bt_bdaddr_t *bd_addr, uint8_t accept, uint8_t pin_len, bt_pin_code_t *pin_code) { BTIF_TRACE_EVENT("%s: accept=%d", __FUNCTION__, accept); + if (pin_code == NULL) + return BT_STATUS_FAIL; #if (defined(BLE_INCLUDED) && (BLE_INCLUDED == TRUE)) if (pairing_cb.is_le_only) diff --git a/stack/btm/btm_acl.c b/stack/btm/btm_acl.c index 07f6e4339..24d1b4add 100644 --- a/stack/btm/btm_acl.c +++ b/stack/btm/btm_acl.c @@ -3266,7 +3266,8 @@ tBTM_STATUS btm_remove_acl (BD_ADDR bd_addr, tBT_TRANSPORT transport) else /* otherwise can disconnect right away */ #endif { - if (hci_handle != 0xFFFF) + if (hci_handle != 0xFFFF && p_dev_rec && + p_dev_rec->sec_state!= BTM_SEC_STATE_DISCONNECTING) { if (!btsnd_hcic_disconnect (hci_handle, HCI_ERR_PEER_USER)) status = BTM_NO_RESOURCES; diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c index 634d40d9a..01de1b6d6 100644 --- a/stack/btm/btm_sec.c +++ b/stack/btm/btm_sec.c @@ -3137,7 +3137,7 @@ void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT /* Notify all clients waiting for name to be resolved */ for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) { - if (btm_cb.p_rmt_name_callback[i]) + if (btm_cb.p_rmt_name_callback[i] && p_bd_addr) (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name); } @@ -3151,7 +3151,7 @@ void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT /* Notify all clients waiting for name to be resolved even if not found so clients can continue */ for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) { - if (btm_cb.p_rmt_name_callback[i]) + if (btm_cb.p_rmt_name_callback[i] && p_bd_addr) (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)""); } -- 2.11.0