Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8ae9b984 authored by Johan Hedberg's avatar Johan Hedberg Committed by Marcel Holtmann
Browse files

Bluetooth: Fix double free of SMP data skb 



In the case that the SMP recv callback returns error the calling code in
l2cap_core.c expects that it still owns the skb and will try to free it.
The SMP code should therefore not try to free the skb if it return an
error. This patch fixes such behavior in the SMP command handler
function.

Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 4befb867

net/bluetooth/smp.c

+6 −7
Original line number Diff line number Diff line
@@ -1387,10 +1387,8 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) 
		return 0;

	}



	if (skb->len < 1) {

		kfree_skb(skb);

	if (skb->len < 1)

		return -EILSEQ;

	}



	if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {

		err = -EOPNOTSUPP;
@@ -1410,8 +1408,9 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) 
	if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&

	    !test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {

		BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);

		kfree_skb(skb);

		return -EOPNOTSUPP;

		reason = SMP_CMD_NOTSUPP;

		err = -EOPNOTSUPP;

		goto done;

	}



	switch (code) {
@@ -1472,7 +1471,7 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) 
done:

	if (reason)

		smp_failure(conn, reason);



	if (!err)

		kfree_skb(skb);

	return err;

}