Bluetooth: Fix invalid memory access when there's no SMP channel
We only should try to free the SMP channel that was created if there is a pending SMP session. Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
This commit is contained in:
Vinicius Costa Gomes
Johan Hedberg
Родитель
66f0129696
Коммит
f1c09c07cd
|
|
@ -263,8 +263,11 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send)
|
||||||
|
|
||||||
clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->flags);
|
clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->flags);
|
||||||
mgmt_auth_failed(conn->hcon->hdev, conn->dst, reason);
|
mgmt_auth_failed(conn->hcon->hdev, conn->dst, reason);
|
||||||
|
|
||||||
|
if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
|
||||||
cancel_delayed_work_sync(&conn->security_timer);
|
cancel_delayed_work_sync(&conn->security_timer);
|
||||||
smp_chan_destroy(conn);
|
smp_chan_destroy(conn);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#define JUST_WORKS 0x00
|
#define JUST_WORKS 0x00
|
||||||
|
|
@ -506,7 +509,7 @@ void smp_chan_destroy(struct l2cap_conn *conn)
|
||||||
{
|
{
|
||||||
struct smp_chan *smp = conn->smp_chan;
|
struct smp_chan *smp = conn->smp_chan;
|
||||||
|
|
||||||
clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags);
|
BUG_ON(!smp);
|
||||||
|
|
||||||
if (smp->tfm)
|
if (smp->tfm)
|
||||||
crypto_free_blkcipher(smp->tfm);
|
crypto_free_blkcipher(smp->tfm);
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче