From c80cf24e03a0119c46a820e5422f26aead647942 Mon Sep 17 00:00:00 2001
From: Szymon Janc <ext.szymon.janc@tieto.com>
Date: Tue, 16 Feb 2016 14:31:15 +0100
Subject: [PATCH] Bluetooth: GATT: Fix possible bt_conn leak

If other peers were present but not in CONNECTED state temporary
connection reference was leaked.

Change-Id: Icc32bfe1a86f92a9d8472991476ebfd26c889d84
Signed-off-by: Szymon Janc <ext.szymon.janc@tieto.com>
---
 net/bluetooth/gatt.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/gatt.c b/net/bluetooth/gatt.c
index 913d715d565..097fc4ce079 100644
--- a/net/bluetooth/gatt.c
+++ b/net/bluetooth/gatt.c
@@ -561,9 +561,13 @@ static uint8_t disconnected_cb(const struct bt_gatt_attr *attr, void *user_data)
 
 			/* Skip if there is another peer connected */
 			tmp = bt_conn_lookup_addr_le(&ccc->cfg[i].peer);
-			if (tmp && tmp->state == BT_CONN_CONNECTED) {
+			if (tmp) {
+				if (tmp->state == BT_CONN_CONNECTED) {
+					bt_conn_unref(tmp);
+					return BT_GATT_ITER_CONTINUE;
+				}
+
 				bt_conn_unref(tmp);
-				return BT_GATT_ITER_CONTINUE;
 			}
 		}
 	}