From d2c1da1335d0968eec15be643aa193cf14a26bab Mon Sep 17 00:00:00 2001 From: Joakim Andersson Date: Mon, 26 Aug 2019 18:33:20 +0200 Subject: [PATCH] Bluetooth: Host: Fix invalid pointer in bt_smp_pkey_ready The storage for the public key is pub_key in hci_core.c. When the public key event is generated the public key is copied into this buffer, but the pointer to the event storage of the key is given in the public key ready callback (bt_smp_pkey_ready). SMP expects that it is safe to assign a global pointer to this variable. In smp_init bt_pub_key_get is used to get the pointer to the public key. In both cases SMP assigns the le_sc_pub_key to the pointer given. This creates an issue when bt_smp_pkey_ready callback occurs after smp_init during pairing procedure, SMP will then have a pointer to an event buffer that has been released and contains invalid data. Fixes: #18580 Signed-off-by: Joakim Andersson --- subsys/bluetooth/host/hci_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/subsys/bluetooth/host/hci_core.c b/subsys/bluetooth/host/hci_core.c index 9ec63fb987a..de812fd732f 100644 --- a/subsys/bluetooth/host/hci_core.c +++ b/subsys/bluetooth/host/hci_core.c @@ -3271,7 +3271,7 @@ static void le_pkey_complete(struct net_buf *buf) } for (cb = pub_key_cb; cb; cb = cb->_next) { - cb->func(evt->status ? NULL : evt->key); + cb->func(evt->status ? NULL : pub_key); } pub_key_cb = NULL;