Commit f1c09c07 authored by Vinicius Costa Gomes's avatar Vinicius Costa Gomes Committed by Johan Hedberg

Bluetooth: Fix invalid memory access when there's no SMP channel

We only should try to free the SMP channel that was created if there
is a pending SMP session.
Signed-off-by: default avatarVinicius Costa Gomes <vinicius.gomes@openbossa.org>
Acked-by: default avatarMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
parent 66f01296
...@@ -263,8 +263,11 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send) ...@@ -263,8 +263,11 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send)
clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->flags); clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->flags);
mgmt_auth_failed(conn->hcon->hdev, conn->dst, reason); mgmt_auth_failed(conn->hcon->hdev, conn->dst, reason);
if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
cancel_delayed_work_sync(&conn->security_timer); cancel_delayed_work_sync(&conn->security_timer);
smp_chan_destroy(conn); smp_chan_destroy(conn);
}
} }
#define JUST_WORKS 0x00 #define JUST_WORKS 0x00
...@@ -506,7 +509,7 @@ void smp_chan_destroy(struct l2cap_conn *conn) ...@@ -506,7 +509,7 @@ void smp_chan_destroy(struct l2cap_conn *conn)
{ {
struct smp_chan *smp = conn->smp_chan; struct smp_chan *smp = conn->smp_chan;
clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags); BUG_ON(!smp);
if (smp->tfm) if (smp->tfm)
crypto_free_blkcipher(smp->tfm); crypto_free_blkcipher(smp->tfm);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment