Bluetooth: Fix possible NULL pointer dereference in cmd_complete

It is now possible to create command complete event without specific
reply data by passing NULL as reply with len 0. Check pointer before
calling memcpy to avoid undefined behaviour.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 46c3edc72cd1dcb85644bf7eaa663c1779a280f4..34f58f4ad12bf1059d45d7cdd63834593fc0ec0f 100644 (file)
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -92,7 +92,9 @@ static int cmd_complete(struct sock *sk, u16 index, u16 cmd, void *rp,
 
        ev = (void *) skb_put(skb, sizeof(*ev) + rp_len);
        put_unaligned_le16(cmd, &ev->opcode);
-       memcpy(ev->data, rp, rp_len);
+
+       if (rp)
+               memcpy(ev->data, rp, rp_len);
 
        if (sock_queue_rcv_skb(sk, skb) < 0)
                kfree_skb(skb);