Bluetooth: Fix invalid memory access when there's no SMP channel

We only should try to free the SMP channel that was created if there is a pending SMP session. Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
author: Vinicius Costa Gomes <vinicius.gomes@openbossa.org> 2012-02-01 16:27:56 -0500
committer: Johan Hedberg <johan.hedberg@intel.com> 2012-02-13 10:01:31 -0500
commit: f1c09c07cd1a6c1676c4df6450d2b28875e184c1 (patch)
tree: 5056e05979ddddaa25279379bb7b7d2d91978c0a /net/bluetooth/smp.c
parent: 66f01296962dfebf032c18ffe61c53a199b4a7bd (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 581833436afa..9ff56e18d99b 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -263,8 +263,11 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send)
        clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->flags);
        mgmt_auth_failed(conn->hcon->hdev, conn->dst, reason);
-        cancel_delayed_work_sync(&conn->security_timer);
-        smp_chan_destroy(conn);
+        if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
+                cancel_delayed_work_sync(&conn->security_timer);
+                smp_chan_destroy(conn);
+        }
 }
 #define JUST_WORKS      0x00
@@ -506,7 +509,7 @@ void smp_chan_destroy(struct l2cap_conn *conn)
 {
        struct smp_chan *smp = conn->smp_chan;
-        clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags);
+        BUG_ON(!smp);
        if (smp->tfm)
                crypto_free_blkcipher(smp->tfm);
author	Vinicius Costa Gomes <vinicius.gomes@openbossa.org>	2012-02-01 16:27:56 -0500
committer	Johan Hedberg <johan.hedberg@intel.com>	2012-02-13 10:01:31 -0500
commit	f1c09c07cd1a6c1676c4df6450d2b28875e184c1 (patch)
tree	5056e05979ddddaa25279379bb7b7d2d91978c0a /net/bluetooth/smp.c
parent	66f01296962dfebf032c18ffe61c53a199b4a7bd (diff)

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index 581833436afa..9ff56e18d99b 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c
@@ -263,8 +263,11 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send)
263		263
264	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->flags);	264	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->flags);
265	mgmt_auth_failed(conn->hcon->hdev, conn->dst, reason);	265	mgmt_auth_failed(conn->hcon->hdev, conn->dst, reason);
266	cancel_delayed_work_sync(&conn->security_timer);	266
267	smp_chan_destroy(conn);	267	if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
		268	cancel_delayed_work_sync(&conn->security_timer);
		269	smp_chan_destroy(conn);
		270	}
268	}	271	}
269		272
270	#define JUST_WORKS 0x00	273	#define JUST_WORKS 0x00
@@ -506,7 +509,7 @@ void smp_chan_destroy(struct l2cap_conn *conn)
506	{	509	{
507	struct smp_chan *smp = conn->smp_chan;	510	struct smp_chan *smp = conn->smp_chan;
508		511
509	clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags);	512	BUG_ON(!smp);
510		513
511	if (smp->tfm)	514	if (smp->tfm)
512	crypto_free_blkcipher(smp->tfm);	515	crypto_free_blkcipher(smp->tfm);