From f7c890e08c5ca79bb84d9a09847757c62bb85234 Mon Sep 17 00:00:00 2001 From: Vinayak Kariappa Chettimada Date: Fri, 13 Dec 2019 16:40:27 +0530 Subject: [PATCH] Bluetooth: controller: split: Fix Tx Ctrl PDU leak Overlapping Feature Exchange requested by host with Encryption Setup requested by the application caused the controller to corrupt its Tx queue leading to Tx Ctrl PDU buffers from leaking from the system. Fixes #21299. Signed-off-by: Vinayak Kariappa Chettimada --- subsys/bluetooth/controller/ll_sw/ull_conn.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/subsys/bluetooth/controller/ll_sw/ull_conn.c b/subsys/bluetooth/controller/ll_sw/ull_conn.c index dda7e3c3888..ba067479a7f 100644 --- a/subsys/bluetooth/controller/ll_sw/ull_conn.c +++ b/subsys/bluetooth/controller/ll_sw/ull_conn.c @@ -1923,7 +1923,6 @@ static void ctrl_tx_sec_enqueue(struct ll_conn *conn, struct node_tx *tx) conn->tx_data_last = tx; } } else { - /* check if Encryption Request is at head, enqueue this control * PDU after control last marker and before data marker. * This way it is paused until Encryption Setup completes. @@ -1932,9 +1931,13 @@ static void ctrl_tx_sec_enqueue(struct ll_conn *conn, struct node_tx *tx) struct pdu_data *pdu_data_tx; pdu_data_tx = (void *)conn->tx_head->pdu; - if ((pdu_data_tx->ll_id == PDU_DATA_LLID_CTRL) && - (pdu_data_tx->llctrl.opcode == - PDU_DATA_LLCTRL_TYPE_ENC_REQ)) { + if ((conn->llcp_req != conn->llcp_ack) && + (conn->llcp_type == LLCP_ENCRYPTION) && + (pdu_data_tx->ll_id == PDU_DATA_LLID_CTRL) && + ((pdu_data_tx->llctrl.opcode == + PDU_DATA_LLCTRL_TYPE_ENC_REQ) || + (pdu_data_tx->llctrl.opcode == + PDU_DATA_LLCTRL_TYPE_PAUSE_ENC_REQ))) { pause = true; } }