From: Johan Hedberg <johan.hedberg@intel.com>
Date: Fri, 28 Feb 2014 08:10:16 +0000 (+0200)
Subject: Bluetooth: Fix clearing SMP keys if pairing fails
X-Git-Tag: v4.9.8~6025^2~11^2~7^2~45^2~94
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=759331d7cc660be17bcdc5df53f196135f9dfaf6;p=platform%2Fkernel%2Flinux-rpi3.git

Bluetooth: Fix clearing SMP keys if pairing fails

If SMP fails we should not leave any keys (LTKs or IRKs) hanging around
the internal lists. This patch adds the necessary code to
smp_chan_destroy to remove any keys we may have in case of pairing
failure.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
---

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 99abffc..f1cb6a3 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -589,6 +589,24 @@ void smp_chan_destroy(struct l2cap_conn *conn)
 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
 	mgmt_smp_complete(conn->hcon, complete);
 
+	/* If pairing failed clean up any keys we might have */
+	if (!complete) {
+		if (smp->ltk) {
+			list_del(&smp->ltk->list);
+			kfree(smp->ltk);
+		}
+
+		if (smp->slave_ltk) {
+			list_del(&smp->slave_ltk->list);
+			kfree(smp->slave_ltk);
+		}
+
+		if (smp->remote_irk) {
+			list_del(&smp->remote_irk->list);
+			kfree(smp->remote_irk);
+		}
+	}
+
 	kfree(smp);
 	conn->smp_chan = NULL;
 	conn->hcon->smp_conn = NULL;