Bluetooth: controller: legacy: Fix Tx Ctrl PDU leak

Overlapping Feature Exchange requested by host with
Encryption Setup requested by the application caused the
controller to corrupt its Tx queue leading to Tx Ctrl PDU
buffers from leaking from the system.

Relates to #21299.

Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
This commit is contained in:
Vinayak Kariappa Chettimada 2019-12-13 16:40:27 +05:30 committed by Carles Cufí
parent f72d5577f9
commit 1ede7db159

View file

@ -10243,6 +10243,9 @@ static void ctrl_tx_enqueue(struct connection *conn,
static void ctrl_tx_sec_enqueue(struct connection *conn,
struct radio_pdu_node_tx *node_tx)
{
bool pause = false;
#if defined(CONFIG_BT_CTLR_LE_ENC)
if (conn->pause_tx) {
if (!conn->pkt_tx_ctrl) {
/* As data PDU tx is paused and no control PDU in queue,
@ -10268,8 +10271,6 @@ static void ctrl_tx_sec_enqueue(struct connection *conn,
conn->pkt_tx_last = node_tx;
}
} else {
bool pause = false;
/* check if Encryption Request is at head, it may have been
* transmitted and not ack-ed. Hence, enqueue this control PDU
* after control last marker and before data marker.
@ -10279,13 +10280,21 @@ static void ctrl_tx_sec_enqueue(struct connection *conn,
struct pdu_data *pdu_data_tx;
pdu_data_tx = (void *)conn->pkt_tx_head->pdu_data;
if ((pdu_data_tx->ll_id == PDU_DATA_LLID_CTRL) &&
(pdu_data_tx->llctrl.opcode ==
PDU_DATA_LLCTRL_TYPE_ENC_REQ)) {
if ((conn->llcp_req != conn->llcp_ack) &&
(conn->llcp_type == LLCP_ENCRYPTION) &&
(pdu_data_tx->ll_id == PDU_DATA_LLID_CTRL) &&
((pdu_data_tx->llctrl.opcode ==
PDU_DATA_LLCTRL_TYPE_ENC_REQ) ||
(pdu_data_tx->llctrl.opcode ==
PDU_DATA_LLCTRL_TYPE_PAUSE_ENC_REQ))) {
pause = true;
}
}
#else /* !CONFIG_BT_CTLR_LE_ENC */
{
#endif /* !CONFIG_BT_CTLR_LE_ENC */
ctrl_tx_pause_enqueue(conn, node_tx, pause);
}
}