* [PATCH] Bluetooth: Fix invalid memory access when there's no SMP channel
@ 2012-02-01 21:27 Vinicius Costa Gomes
2012-02-01 21:30 ` Marcel Holtmann
2012-02-01 21:35 ` Johan Hedberg
0 siblings, 2 replies; 3+ messages in thread
From: Vinicius Costa Gomes @ 2012-02-01 21:27 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Vinicius Costa Gomes
We only should try to free the SMP channel that was created if there
is a pending SMP session.
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
---
net/bluetooth/smp.c | 9 ++++++---
1 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 5818334..9ff56e1 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -263,8 +263,11 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send)
clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->flags);
mgmt_auth_failed(conn->hcon->hdev, conn->dst, reason);
- cancel_delayed_work_sync(&conn->security_timer);
- smp_chan_destroy(conn);
+
+ if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
+ cancel_delayed_work_sync(&conn->security_timer);
+ smp_chan_destroy(conn);
+ }
}
#define JUST_WORKS 0x00
@@ -506,7 +509,7 @@ void smp_chan_destroy(struct l2cap_conn *conn)
{
struct smp_chan *smp = conn->smp_chan;
- clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags);
+ BUG_ON(!smp);
if (smp->tfm)
crypto_free_blkcipher(smp->tfm);
--
1.7.8.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] Bluetooth: Fix invalid memory access when there's no SMP channel
2012-02-01 21:27 [PATCH] Bluetooth: Fix invalid memory access when there's no SMP channel Vinicius Costa Gomes
@ 2012-02-01 21:30 ` Marcel Holtmann
2012-02-01 21:35 ` Johan Hedberg
1 sibling, 0 replies; 3+ messages in thread
From: Marcel Holtmann @ 2012-02-01 21:30 UTC (permalink / raw)
To: Vinicius Costa Gomes; +Cc: linux-bluetooth
Hi Vinicius,
> We only should try to free the SMP channel that was created if there
> is a pending SMP session.
>
> Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
> ---
> net/bluetooth/smp.c | 9 ++++++---
> 1 files changed, 6 insertions(+), 3 deletions(-)
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Regards
Marcel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Bluetooth: Fix invalid memory access when there's no SMP channel
2012-02-01 21:27 [PATCH] Bluetooth: Fix invalid memory access when there's no SMP channel Vinicius Costa Gomes
2012-02-01 21:30 ` Marcel Holtmann
@ 2012-02-01 21:35 ` Johan Hedberg
1 sibling, 0 replies; 3+ messages in thread
From: Johan Hedberg @ 2012-02-01 21:35 UTC (permalink / raw)
To: Vinicius Costa Gomes; +Cc: linux-bluetooth
Hi Vinicius,
On Wed, Feb 01, 2012, Vinicius Costa Gomes wrote:
> We only should try to free the SMP channel that was created if there
> is a pending SMP session.
>
> Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
> ---
> net/bluetooth/smp.c | 9 ++++++---
> 1 files changed, 6 insertions(+), 3 deletions(-)
Applied to my bluetooth-next tree. Thanks.
Johan
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-02-01 21:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-02-01 21:27 [PATCH] Bluetooth: Fix invalid memory access when there's no SMP channel Vinicius Costa Gomes
2012-02-01 21:30 ` Marcel Holtmann
2012-02-01 21:35 ` Johan Hedberg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).