Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealin…

…g with l2cap socket ... rather than relying on ciptool(8) never passing it anything else. Give it e.g. an AF_UNIX connected socket (from socketpair(2)) and it'll oops, trying to evaluate &l2cap_pi(sock->sk)->chan->dst... Bug: 33982955 Signed-off-by: Al Viro <[email protected]> Signed-off-by: Marcel Holtmann <[email protected]> Change-Id: I078260c1b5be6a96b54c265da0236bf84842e450 Signed-off-by: Francisco Franco <[email protected]>
franciscofranco · May 11, 2018 · 851facb · 851facb
1 parent b6a1402
commit 851facb
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
@@ -335,6 +335,9 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
 
 	BT_DBG("");
 
+	if (!l2cap_is_socket(sock))
+		return -EBADFD;
+
 	session = kzalloc(sizeof(struct cmtp_session), GFP_KERNEL);
 	if (!session)
 		return -ENOMEM;