Skip to content

Commit

Permalink
Bluetooth: controller: split: Fix Tx Ctrl PDU leak
Browse files Browse the repository at this point in the history
Overlapping Feature Exchange requested by host with
Encryption Setup requested by the application caused the
controller to corrupt its Tx queue leading to Tx Ctrl PDU
buffers from leaking from the system.

Fixes #21299.

Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
cvinayak authored and aescolar committed Dec 16, 2019

Verified

This commit was signed with the committer’s verified signature.
darcyclarke Darcy Clarke
1 parent 3a39f79 commit f7c890e
Showing 1 changed file with 7 additions and 4 deletions.
11 changes: 7 additions & 4 deletions subsys/bluetooth/controller/ll_sw/ull_conn.c
Original file line number Diff line number Diff line change
@@ -1923,7 +1923,6 @@ static void ctrl_tx_sec_enqueue(struct ll_conn *conn, struct node_tx *tx)
conn->tx_data_last = tx;
}
} else {

/* check if Encryption Request is at head, enqueue this control
* PDU after control last marker and before data marker.
* This way it is paused until Encryption Setup completes.
@@ -1932,9 +1931,13 @@ static void ctrl_tx_sec_enqueue(struct ll_conn *conn, struct node_tx *tx)
struct pdu_data *pdu_data_tx;

pdu_data_tx = (void *)conn->tx_head->pdu;
if ((pdu_data_tx->ll_id == PDU_DATA_LLID_CTRL) &&
(pdu_data_tx->llctrl.opcode ==
PDU_DATA_LLCTRL_TYPE_ENC_REQ)) {
if ((conn->llcp_req != conn->llcp_ack) &&
(conn->llcp_type == LLCP_ENCRYPTION) &&
(pdu_data_tx->ll_id == PDU_DATA_LLID_CTRL) &&
((pdu_data_tx->llctrl.opcode ==
PDU_DATA_LLCTRL_TYPE_ENC_REQ) ||
(pdu_data_tx->llctrl.opcode ==
PDU_DATA_LLCTRL_TYPE_PAUSE_ENC_REQ))) {
pause = true;
}
}

0 comments on commit f7c890e

Please sign in to comment.