lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 26 Mar 2019 15:29:56 +0900
From:   Greg Kroah-Hartman <>
Cc:     Greg Kroah-Hartman <>,,,
        Myungho Jung <>,
        Marcel Holtmann <>
Subject: [PATCH 4.14 19/41] Bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf()

4.14-stable review patch.  If anyone has any objections, please let me know.


From: Myungho Jung <>

commit 1dc2d785156cbdc80806c32e8d2c7c735d0b4721 upstream.

h4_recv_buf() callers store the return value to socket buffer and
recursively pass the buffer to h4_recv_buf() without protection. So,
ERR_PTR returned from h4_recv_buf() can be dereferenced, if called again
before setting the socket buffer to NULL from previous error. Check if
skb is ERR_PTR in h4_recv_buf().

Signed-off-by: Myungho Jung <>
Signed-off-by: Marcel Holtmann <>
Signed-off-by: Greg Kroah-Hartman <>

 drivers/bluetooth/hci_h4.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/bluetooth/hci_h4.c
+++ b/drivers/bluetooth/hci_h4.c
@@ -174,6 +174,10 @@ struct sk_buff *h4_recv_buf(struct hci_d
 	struct hci_uart *hu = hci_get_drvdata(hdev);
 	u8 alignment = hu->alignment ? hu->alignment : 1;
+	/* Check for error from previous call */
+	if (IS_ERR(skb))
+		skb = NULL;
 	while (count) {
 		int i, len;

Powered by blists - more mailing lists