Bluetooth: MGMT: Fix memory leak in set_ssp_complete

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures
are not freed after being removed from the pending list.

Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced
mgmt_pending_foreach() calls with individual command handling but missed
adding mgmt_pending_free() calls in both error and success paths of
set_ssp_complete(). Other completion functions like set_le_complete()
were fixed correctly in the same commit.

This causes a memory leak of the mgmt_pending_cmd structure and its
associated parameter data for each SSP command that completes.

Add the missing mgmt_pending_free(cmd) calls in both code paths to fix
the memory leak. Also fix the same issue in set_advertising_complete().

Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs")
Signed-off-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

authored by

Jianpeng Chang and committed by

Luiz Augusto von Dentz 2 months ago 1b9c17fd 0c3cd7a0

1 changed file

expand all

net

bluetooth

mgmt.c

net/bluetooth/mgmt.c

··· 1966 1966 } 1967 1967 1968 1968 mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err); 1969 + mgmt_pending_free(cmd); 1969 1970 return; 1970 1971 } 1971 1972 ··· 1985 1984 sock_put(match.sk); 1986 1985 1987 1986 hci_update_eir_sync(hdev); 1987 + mgmt_pending_free(cmd); 1988 1988 } 1989 1989 1990 1990 static int set_ssp_sync(struct hci_dev *hdev, void *data) ··· 6440 6438 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 6441 6439 6442 6440 settings_rsp(cmd, &match); 6441 + mgmt_pending_free(cmd); 6443 6442 6444 6443 new_settings(hdev, match.sk); 6445 6444