Bluetooth: controller: split: Fix Tx Ctrl PDU leak

Overlapping Feature Exchange requested by host with Encryption Setup requested by the application caused the controller to corrupt its Tx queue leading to Tx Ctrl PDU buffers from leaking from the system. Fixes #21299. Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
2019-12-13 16:40:27 +05:30 · 2019-12-13 16:40:27 +05:30 · f7c890e08c
parent 3a39f79d9b
commit f7c890e08c
1 changed files with 7 additions and 4 deletions
--- a/subsys/bluetooth/controller/ll_sw/ull_conn.c
+++ b/subsys/bluetooth/controller/ll_sw/ull_conn.c
@ -1923,7 +1923,6 @@ static void ctrl_tx_sec_enqueue(struct ll_conn *conn, struct node_tx *tx)
 			conn->tx_data_last = tx;
 		}
 	} else {
-
 		/* check if Encryption Request is at head, enqueue this control
 		 * PDU after control last marker and before data marker.
 		 * This way it is paused until Encryption Setup completes.
@ -1932,9 +1931,13 @@ static void ctrl_tx_sec_enqueue(struct ll_conn *conn, struct node_tx *tx)
 			struct pdu_data *pdu_data_tx;

 			pdu_data_tx = (void *)conn->tx_head->pdu;
-			if ((pdu_data_tx->ll_id == PDU_DATA_LLID_CTRL) &&
-			    (pdu_data_tx->llctrl.opcode ==
-			     PDU_DATA_LLCTRL_TYPE_ENC_REQ)) {
+			if ((conn->llcp_req != conn->llcp_ack) &&
+			    (conn->llcp_type == LLCP_ENCRYPTION) &&
+			    (pdu_data_tx->ll_id == PDU_DATA_LLID_CTRL) &&
+			    ((pdu_data_tx->llctrl.opcode ==
+			      PDU_DATA_LLCTRL_TYPE_ENC_REQ) ||
+			     (pdu_data_tx->llctrl.opcode ==
+			      PDU_DATA_LLCTRL_TYPE_PAUSE_ENC_REQ))) {
 				pause = true;
 			}
 		}