summaryrefslogtreecommitdiff
path: root/net/bluetooth/smp.c
diff options
context:
space:
mode:
authorJohan Hedberg <johan.hedberg@intel.com>2014-08-11 22:06:39 +0300
committerMarcel Holtmann <marcel@holtmann.org>2014-08-14 08:49:23 +0200
commit8ae9b9845b3252216cf5d2e033e5cca41bae48ef (patch)
treea87137cef1f5f4c6cde5d25cb6b5a1aed86f401a /net/bluetooth/smp.c
parent4befb867b9de8adc56c683f4cf6c9e6c035e94e3 (diff)
downloadlwn-8ae9b9845b3252216cf5d2e033e5cca41bae48ef.tar.gz
lwn-8ae9b9845b3252216cf5d2e033e5cca41bae48ef.zip
Bluetooth: Fix double free of SMP data skb
In the case that the SMP recv callback returns error the calling code in l2cap_core.c expects that it still owns the skb and will try to free it. The SMP code should therefore not try to free the skb if it return an error. This patch fixes such behavior in the SMP command handler function. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth/smp.c')
-rw-r--r--net/bluetooth/smp.c13
1 files changed, 6 insertions, 7 deletions
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 7a295d7edc44..5103dc739a17 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -1387,10 +1387,8 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
return 0;
}
- if (skb->len < 1) {
- kfree_skb(skb);
+ if (skb->len < 1)
return -EILSEQ;
- }
if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
err = -EOPNOTSUPP;
@@ -1410,8 +1408,9 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&
!test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);
- kfree_skb(skb);
- return -EOPNOTSUPP;
+ reason = SMP_CMD_NOTSUPP;
+ err = -EOPNOTSUPP;
+ goto done;
}
switch (code) {
@@ -1472,8 +1471,8 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
done:
if (reason)
smp_failure(conn, reason);
-
- kfree_skb(skb);
+ if (!err)
+ kfree_skb(skb);
return err;
}