Index: chromeos/compat-wireless/drivers/bluetooth/hci_ldisc.c |
diff --git a/chromeos/compat-wireless/drivers/bluetooth/hci_ldisc.c b/chromeos/compat-wireless/drivers/bluetooth/hci_ldisc.c |
index 41bec2112db7b0b03180621d40ac9eba08867b61..451eb24e6880b4c34a79a90ef6d21e8eb3c8bb53 100644 |
--- a/chromeos/compat-wireless/drivers/bluetooth/hci_ldisc.c |
+++ b/chromeos/compat-wireless/drivers/bluetooth/hci_ldisc.c |
@@ -256,9 +256,16 @@ static int hci_uart_tty_open(struct tty_struct *tty) |
BT_DBG("tty %p", tty); |
+ /* FIXME: This btw is bogus, nothing requires the old ldisc to clear |
+ the pointer */ |
if (hu) |
return -EEXIST; |
+ /* Error if the tty has no write op instead of leaving an exploitable |
+ hole */ |
+ if (tty->ops->write == NULL) |
+ return -EOPNOTSUPP; |
+ |
if (!(hu = kzalloc(sizeof(struct hci_uart), GFP_KERNEL))) { |
BT_ERR("Can't allocate control structure"); |
return -ENFILE; |