summaryrefslogtreecommitdiff
path: root/net/bluetooth/l2cap_core.c
diff options
context:
space:
mode:
authorLuiz Augusto von Dentz <luiz.von.dentz@intel.com>2021-05-19 23:41:50 +0300
committerMarcel Holtmann <marcel@holtmann.org>2021-06-26 08:12:32 +0300
commit1fa20d7d4aad02206e84b74915819fbe9f81dab3 (patch)
treea1e1277f8b18d361a44ab671e47d06325c84eaec /net/bluetooth/l2cap_core.c
parent1c58e933aba23f68c0d3f192f7cc6eed8fabd694 (diff)
downloadlinux-1fa20d7d4aad02206e84b74915819fbe9f81dab3.tar.xz
Bluetooth: L2CAP: Fix invalid access if ECRED Reconfigure fails
The use of l2cap_chan_del is not safe under a loop using list_for_each_entry. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth/l2cap_core.c')
-rw-r--r--net/bluetooth/l2cap_core.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 7d975cf98c20..f3b70fa348ab 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6248,7 +6248,7 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
struct l2cap_cmd_hdr *cmd, u16 cmd_len,
u8 *data)
{
- struct l2cap_chan *chan;
+ struct l2cap_chan *chan, *tmp;
struct l2cap_ecred_conn_rsp *rsp = (void *) data;
u16 result;
@@ -6262,7 +6262,7 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
if (!result)
return 0;
- list_for_each_entry(chan, &conn->chan_l, list) {
+ list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
if (chan->ident != cmd->ident)
continue;