diff options
| author | Jianpeng Chang <jianpeng.chang.cn@windriver.com> | 2026-01-21 13:29:26 +0800 |
|---|---|---|
| committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2026-01-29 13:36:12 -0500 |
| commit | 4db19bfd320f2124c820d3456aeae3953095ea8e (patch) | |
| tree | cc4634dc9af7fae74c1f6870adad277c92f48a5b /include/net/bluetooth | |
| parent | e6c0dc504e9504b4ce42632604cdbe326f961ad1 (diff) | |
Bluetooth: MGMT: Fix memory leak in set_ssp_complete
Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures
are not freed after being removed from the pending list.
Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced
mgmt_pending_foreach() calls with individual command handling but missed
adding mgmt_pending_free() calls in both error and success paths of
set_ssp_complete(). Other completion functions like set_le_complete()
were fixed correctly in the same commit.
This causes a memory leak of the mgmt_pending_cmd structure and its
associated parameter data for each SSP command that completes.
Add the missing mgmt_pending_free(cmd) calls in both code paths to fix
the memory leak. Also fix the same issue in set_advertising_complete().
Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs")
Signed-off-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Diffstat (limited to 'include/net/bluetooth')
0 files changed, 0 insertions, 0 deletions