Bluetooth: Fix invalid memory access when there's no SMP channel
authorVinicius Costa Gomes <vinicius.gomes@openbossa.org>
Wed, 1 Feb 2012 21:27:56 +0000 (18:27 -0300)
committerJohan Hedberg <johan.hedberg@intel.com>
Mon, 13 Feb 2012 15:01:31 +0000 (17:01 +0200)
We only should try to free the SMP channel that was created if there
is a pending SMP session.

Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
net/bluetooth/smp.c

index 581833436afa1eb72d7c60aaf8cf9f7fefa4ad0a..9ff56e18d99b1c08426103e5ffa5f8fbdb0330b5 100644 (file)
@@ -263,8 +263,11 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send)
 
        clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->flags);
        mgmt_auth_failed(conn->hcon->hdev, conn->dst, reason);
-       cancel_delayed_work_sync(&conn->security_timer);
-       smp_chan_destroy(conn);
+
+       if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
+               cancel_delayed_work_sync(&conn->security_timer);
+               smp_chan_destroy(conn);
+       }
 }
 
 #define JUST_WORKS     0x00
@@ -506,7 +509,7 @@ void smp_chan_destroy(struct l2cap_conn *conn)
 {
        struct smp_chan *smp = conn->smp_chan;
 
-       clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags);
+       BUG_ON(!smp);
 
        if (smp->tfm)
                crypto_free_blkcipher(smp->tfm);