Bluetooth: Fix potential NULL dereference

[deliverable/linux.git] / net / bluetooth / bnep / core.c

diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 85bcc21e84d2006c4839b2b7f409f2595cb41858..05f57e491ccbd614a1d306c49df891e4a2ec00c6 100644 (file)
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -511,13 +511,12 @@ static int bnep_session(void *arg)
 
 static struct device *bnep_get_device(struct bnep_session *session)
 {
-       struct hci_conn *conn;
+       struct l2cap_conn *conn = l2cap_pi(session->sock->sk)->chan->conn;
 
-       conn = l2cap_pi(session->sock->sk)->chan->conn->hcon;
-       if (!conn)
+       if (!conn || !conn->hcon)
                return NULL;
 
-       return &conn->dev;
+       return &conn->hcon->dev;
 }
 
 static struct device_type bnep_type = {
@@ -533,6 +532,9 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
 
        BT_DBG("");
 
+       if (!l2cap_is_socket(sock))
+               return -EBADFD;
+
        baswap((void *) dst, &l2cap_pi(sock->sk)->chan->dst);
        baswap((void *) src, &l2cap_pi(sock->sk)->chan->src);