Bluetooth: SMP: Fix invalid access if a buffer cannot be allocated

	}

}

static struct net_buf *smp_create_pdu(struct bt_conn *conn, u8_t op,

				      size_t len)

static struct net_buf *smp_create_pdu(struct bt_smp *smp, u8_t op, size_t len)

{

	struct bt_smp_hdr *hdr;

	struct net_buf *buf;

	s32_t timeout;

	/* Don't if session had already timed out */

	if (atomic_test_bit(smp->flags, SMP_FLAG_TIMEOUT)) {

		timeout = K_NO_WAIT;

	} else {

		timeout = SMP_TIMEOUT;

	}

	buf = bt_l2cap_create_pdu(NULL, 0);

	/* NULL is not a possible return due to K_FOREVER */

	/* Use smaller timeout if returning an error since that could be

	 * caused by lack of buffers.

	 */

	buf = bt_l2cap_create_pdu_timeout(NULL, 0, timeout);

	if (!buf) {

		/* If it was not possible to allocate a buffer within the

		 * timeout marked it as timed out.

		 */

		atomic_set_bit(smp->flags, SMP_FLAG_TIMEOUT);

		return NULL;

	}

	hdr = net_buf_add(buf, sizeof(*hdr));

	hdr->code = op;

	BT_DBG("LTK derived from LinkKey");

}

static struct net_buf *smp_br_create_pdu(struct bt_smp_br *smp, u8_t op,

					 size_t len)

{

	struct bt_smp_hdr *hdr;

	struct net_buf *buf;

	s32_t timeout;

	/* Don't if session had already timed out */

	if (atomic_test_bit(smp->flags, SMP_FLAG_TIMEOUT)) {

		timeout = K_NO_WAIT;

	} else {

		timeout = SMP_TIMEOUT;

	}

	/* Use smaller timeout if returning an error since that could be

	 * caused by lack of buffers.

	 */

	buf = bt_l2cap_create_pdu_timeout(NULL, 0, timeout);

	if (!buf) {

		/* If it was not possible to allocate a buffer within the

		 * timeout marked it as timed out.

		 */

		atomic_set_bit(smp->flags, SMP_FLAG_TIMEOUT);

		return NULL;

	}

	hdr = net_buf_add(buf, sizeof(*hdr));

	hdr->code = op;

	return buf;

}

static void smp_br_distribute_keys(struct bt_smp_br *smp)

{

	struct bt_conn *conn = smp->chan.chan.conn;

		smp->local_dist &= ~BT_SMP_DIST_ID_KEY;

		buf = smp_create_pdu(conn, BT_SMP_CMD_IDENT_INFO,

		buf = smp_br_create_pdu(smp, BT_SMP_CMD_IDENT_INFO,

					sizeof(*id_info));

		if (!buf) {

			BT_ERR("Unable to allocate Ident Info buffer");

		smp_br_send(smp, buf, NULL);

		buf = smp_create_pdu(conn, BT_SMP_CMD_IDENT_ADDR_INFO,

		buf = smp_br_create_pdu(smp, BT_SMP_CMD_IDENT_ADDR_INFO,

				     sizeof(*id_addr_info));

		if (!buf) {

			BT_ERR("Unable to allocate Ident Addr Info buffer");

		smp->local_dist &= ~BT_SMP_DIST_SIGN;

		buf = smp_create_pdu(conn, BT_SMP_CMD_SIGNING_INFO,

		buf = smp_br_create_pdu(smp, BT_SMP_CMD_SIGNING_INFO,

					sizeof(*info));

		if (!buf) {

			BT_ERR("Unable to allocate Signing Info buffer");

			keys->local_csrk.cnt = 0U;

		}

		smp_br_send(smp, buf, sign_info_sent);

		smp_br_send(smp, buf, smp_sign_info_sent);

	}

#endif /* CONFIG_BT_SIGNING */

}

		return BT_SMP_ERR_ENC_KEY_SIZE;

	}

	rsp_buf = smp_create_pdu(conn, BT_SMP_CMD_PAIRING_RSP, sizeof(*rsp));

	rsp_buf = smp_br_create_pdu(smp, BT_SMP_CMD_PAIRING_RSP, sizeof(*rsp));

	if (!rsp_buf) {

		return BT_SMP_ERR_UNSPECIFIED;

	}

	/* reset context and report */

	smp_br_reset(smp);

	buf = smp_create_pdu(smp->chan.chan.conn, BT_SMP_CMD_PAIRING_FAIL,

			     sizeof(*rsp));

	buf = smp_br_create_pdu(smp, BT_SMP_CMD_PAIRING_FAIL, sizeof(*rsp));

	if (!buf) {

		return -ENOBUFS;

	}

	smp_br_init(smp);

	smp->enc_key_size = max_key_size;

	req_buf = smp_create_pdu(conn, BT_SMP_CMD_PAIRING_REQ, sizeof(*req));

	req_buf = smp_br_create_pdu(smp, BT_SMP_CMD_PAIRING_REQ, sizeof(*req));

	if (!req_buf) {

		return -ENOBUFS;

	}

		bt_keys_clear(smp->chan.chan.conn->le.keys);

	}

	smp_pairing_complete(smp, BT_SMP_ERR_UNSPECIFIED);

	atomic_set_bit(smp->flags, SMP_FLAG_TIMEOUT);

	smp_pairing_complete(smp, BT_SMP_ERR_UNSPECIFIED);

}

static void smp_send(struct bt_smp *smp, struct net_buf *buf,

	/* reset context and report */

	smp_pairing_complete(smp, reason);

	buf = smp_create_pdu(smp->chan.chan.conn, BT_SMP_CMD_PAIRING_FAIL,

			     sizeof(*rsp));

	buf = smp_create_pdu(smp, BT_SMP_CMD_PAIRING_FAIL, sizeof(*rsp));

	if (!buf) {

		return -ENOBUFS;

	}

static u8_t smp_send_pairing_random(struct bt_smp *smp)

{

	struct bt_conn *conn = smp->chan.chan.conn;

	struct bt_smp_pairing_random *req;

	struct net_buf *rsp_buf;

	rsp_buf = smp_create_pdu(conn, BT_SMP_CMD_PAIRING_RANDOM, sizeof(*req));

	rsp_buf = smp_create_pdu(smp, BT_SMP_CMD_PAIRING_RANDOM, sizeof(*req));

	if (!rsp_buf) {

		return BT_SMP_ERR_UNSPECIFIED;

	}

static u8_t smp_send_pairing_confirm(struct bt_smp *smp)

{

	struct bt_conn *conn = smp->chan.chan.conn;

	struct bt_smp_pairing_confirm *req;

	struct net_buf *buf;

	u8_t r;

		return BT_SMP_ERR_UNSPECIFIED;

	}

	buf = smp_create_pdu(conn, BT_SMP_CMD_PAIRING_CONFIRM, sizeof(*req));

	buf = smp_create_pdu(smp, BT_SMP_CMD_PAIRING_CONFIRM, sizeof(*req));

	if (!buf) {

		return BT_SMP_ERR_UNSPECIFIED;

	}

		bt_rand(&rand, sizeof(rand));

		bt_rand(&ediv, sizeof(ediv));

		buf = smp_create_pdu(conn, BT_SMP_CMD_ENCRYPT_INFO,

		buf = smp_create_pdu(smp, BT_SMP_CMD_ENCRYPT_INFO,

				     sizeof(*info));

		if (!buf) {

			BT_ERR("Unable to allocate Encrypt Info buffer");

		smp_send(smp, buf, NULL, NULL);

		buf = smp_create_pdu(conn, BT_SMP_CMD_MASTER_IDENT,

		buf = smp_create_pdu(smp, BT_SMP_CMD_MASTER_IDENT,

				     sizeof(*ident));

		if (!buf) {

			BT_ERR("Unable to allocate Master Ident buffer");

}

#endif /* !CONFIG_BT_SMP_SC_PAIR_ONLY */

static void bt_smp_distribute_keys(struct bt_smp *smp)

static u8_t bt_smp_distribute_keys(struct bt_smp *smp)

{

	struct bt_conn *conn = smp->chan.chan.conn;

	struct bt_keys *keys = conn->le.keys;

	if (!keys) {

		BT_ERR("No keys space for %s", bt_addr_le_str(&conn->le.dst));

		return;

		return BT_SMP_ERR_UNSPECIFIED;

	}

#if !defined(CONFIG_BT_SMP_SC_PAIR_ONLY)

		struct bt_smp_ident_addr_info *id_addr_info;

		struct net_buf *buf;

		buf = smp_create_pdu(conn, BT_SMP_CMD_IDENT_INFO,

		buf = smp_create_pdu(smp, BT_SMP_CMD_IDENT_INFO,

				     sizeof(*id_info));

		if (!buf) {

			BT_ERR("Unable to allocate Ident Info buffer");

			return;

			return BT_SMP_ERR_UNSPECIFIED;

		}

		id_info = net_buf_add(buf, sizeof(*id_info));

		smp_send(smp, buf, NULL, NULL);

		buf = smp_create_pdu(conn, BT_SMP_CMD_IDENT_ADDR_INFO,

		buf = smp_create_pdu(smp, BT_SMP_CMD_IDENT_ADDR_INFO,

				     sizeof(*id_addr_info));

		if (!buf) {

			BT_ERR("Unable to allocate Ident Addr Info buffer");

			return;

			return BT_SMP_ERR_UNSPECIFIED;

		}

		id_addr_info = net_buf_add(buf, sizeof(*id_addr_info));

		struct bt_smp_signing_info *info;

		struct net_buf *buf;

		buf = smp_create_pdu(conn, BT_SMP_CMD_SIGNING_INFO,

		buf = smp_create_pdu(smp, BT_SMP_CMD_SIGNING_INFO,

				     sizeof(*info));

		if (!buf) {

			BT_ERR("Unable to allocate Signing Info buffer");

			return;

			return BT_SMP_ERR_UNSPECIFIED;

		}

		info = net_buf_add(buf, sizeof(*info));

		smp_send(smp, buf, sign_info_sent, NULL);

	}

#endif /* CONFIG_BT_SIGNING */

	return 0;

}

#if defined(CONFIG_BT_PERIPHERAL)

static u8_t send_pairing_rsp(struct bt_smp *smp)

{

	struct bt_conn *conn = smp->chan.chan.conn;

	struct bt_smp_pairing *rsp;

	struct net_buf *rsp_buf;

	rsp_buf = smp_create_pdu(conn, BT_SMP_CMD_PAIRING_RSP, sizeof(*rsp));

	rsp_buf = smp_create_pdu(smp, BT_SMP_CMD_PAIRING_RSP, sizeof(*rsp));

	if (!rsp_buf) {

		return BT_SMP_ERR_UNSPECIFIED;

	}

	struct bt_smp_pairing_confirm *req;

	struct net_buf *buf;

	buf = smp_create_pdu(conn, BT_SMP_CMD_PAIRING_CONFIRM, sizeof(*req));

	buf = smp_create_pdu(smp, BT_SMP_CMD_PAIRING_CONFIRM, sizeof(*req));

	if (!buf) {

		return BT_SMP_ERR_UNSPECIFIED;

	}

		atomic_set_bit(smp->flags, SMP_FLAG_ENC_PENDING);

		smp_send_pairing_random(smp);

		return smp_send_pairing_random(smp);

	}

	return 0;

static u8_t smp_master_ident(struct bt_smp *smp, struct net_buf *buf)

{

	struct bt_conn *conn = smp->chan.chan.conn;

	u8_t err;

	BT_DBG("");

	if (IS_ENABLED(CONFIG_BT_CENTRAL) &&

	    conn->role == BT_HCI_ROLE_MASTER && !smp->remote_dist) {

		bt_smp_distribute_keys(smp);

		err = bt_smp_distribute_keys(smp);

		if (err) {

			return err;

		}

	}

	/* if all keys were distributed, pairing is done */

		return -ENOBUFS;

	}

	req_buf = smp_create_pdu(conn, BT_SMP_CMD_SECURITY_REQUEST,

	req_buf = smp_create_pdu(smp, BT_SMP_CMD_SECURITY_REQUEST,

				 sizeof(*req));

	if (!req_buf) {

		return -ENOBUFS;

	struct bt_smp_public_key *req;

	struct net_buf *req_buf;

	req_buf = smp_create_pdu(smp->chan.chan.conn, BT_SMP_CMD_PUBLIC_KEY,

				 sizeof(*req));

	req_buf = smp_create_pdu(smp, BT_SMP_CMD_PUBLIC_KEY, sizeof(*req));

	if (!req_buf) {

		return BT_SMP_ERR_UNSPECIFIED;

	}

		return -ENOBUFS;

	}

	req_buf = smp_create_pdu(conn, BT_SMP_CMD_PAIRING_REQ, sizeof(*req));

	req_buf = smp_create_pdu(smp, BT_SMP_CMD_PAIRING_REQ, sizeof(*req));

	if (!req_buf) {

		return -ENOBUFS;

	}

	BT_DBG("");

	buf = smp_create_pdu(smp->chan.chan.conn, BT_SMP_DHKEY_CHECK,

			     sizeof(*req));

	buf = smp_create_pdu(smp, BT_SMP_DHKEY_CHECK, sizeof(*req));

	if (!buf) {

		return BT_SMP_ERR_UNSPECIFIED;

	}

	}

	atomic_set_bit(&smp->allowed_cmds, BT_SMP_DHKEY_CHECK);

	sc_smp_send_dhkey_check(smp, e);

	return 0;

	return sc_smp_send_dhkey_check(smp, e);

}

#endif /* CONFIG_BT_CENTRAL */

static u8_t compute_and_check_and_send_slave_dhcheck(struct bt_smp *smp)

{

	u8_t re[16], e[16], r[16];

	u8_t err;

	(void)memset(r, 0, sizeof(r));

	}

	/* send local e */

	sc_smp_send_dhkey_check(smp, e);

	err = sc_smp_send_dhkey_check(smp, e);

	if (err) {

		return err;

	}

	atomic_set_bit(smp->flags, SMP_FLAG_ENC_PENDING);

	return 0;

			atomic_set_bit(&smp->allowed_cmds,

				       BT_SMP_CMD_PAIRING_CONFIRM);

			smp_send_pairing_confirm(smp);

			return 0;

			return smp_send_pairing_confirm(smp);

		default:

			return BT_SMP_ERR_UNSPECIFIED;

		}

		atomic_set_bit(&smp->allowed_cmds,

			       BT_SMP_CMD_PAIRING_CONFIRM);

		smp_send_pairing_random(smp);

		err = smp_send_pairing_random(smp);

		if (err) {

			return err;

		}

		smp->passkey_round++;

		if (smp->passkey_round == 20U) {

	atomic_set_bit(&smp->allowed_cmds, BT_SMP_DHKEY_CHECK);

	atomic_set_bit(smp->flags, SMP_FLAG_DHCHECK_WAIT);

	smp_send_pairing_random(smp);

	return smp_send_pairing_random(smp);

#else

	return BT_SMP_ERR_PAIRING_NOTSUPP;

#endif /* CONFIG_BT_PERIPHERAL */

	return 0;

}

static u8_t smp_pairing_failed(struct bt_smp *smp, struct net_buf *buf)

{

	struct bt_conn *conn = smp->chan.chan.conn;

	struct bt_smp_ident_addr_info *req = (void *)buf->data;

	u8_t err;

	BT_DBG("identity %s", bt_addr_le_str(&req->addr));

	if (IS_ENABLED(CONFIG_BT_CENTRAL) &&

	    conn->role == BT_HCI_ROLE_MASTER && !smp->remote_dist) {

		bt_smp_distribute_keys(smp);

		err = bt_smp_distribute_keys(smp);

		if (err) {

			return err;

		}

	}

	/* if all keys were distributed, pairing is done */

static u8_t smp_signing_info(struct bt_smp *smp, struct net_buf *buf)

{

	struct bt_conn *conn = smp->chan.chan.conn;

	u8_t err;

	BT_DBG("");

	if (IS_ENABLED(CONFIG_BT_CENTRAL) &&

	    conn->role == BT_HCI_ROLE_MASTER && !smp->remote_dist) {

		bt_smp_distribute_keys(smp);

		err = bt_smp_distribute_keys(smp);

		if (err) {

			return err;

		}

	}

	/* if all keys were distributed, pairing is done */

		return;

	}

	bt_smp_distribute_keys(smp);

	if (bt_smp_distribute_keys(smp)) {

		return;

	}

	/* if all keys were distributed, pairing is done */

	if (!smp->local_dist && !smp->remote_dist) {

int bt_smp_auth_passkey_entry(struct bt_conn *conn, unsigned int passkey)

{

	struct bt_smp *smp;

	u8_t err;

	smp = smp_chan_get(conn);

	if (!smp) {

	if (IS_ENABLED(CONFIG_BT_CENTRAL) &&

	    smp->chan.chan.conn->role == BT_HCI_ROLE_MASTER) {

		if (smp_send_pairing_confirm(smp)) {

		err = smp_send_pairing_confirm(smp);

		if (err) {

			smp_error(smp, BT_SMP_ERR_PASSKEY_ENTRY_FAILED);

			return 0;

		}

	if (IS_ENABLED(CONFIG_BT_PERIPHERAL) &&

	    atomic_test_bit(smp->flags, SMP_FLAG_CFM_DELAYED)) {

		if (smp_send_pairing_confirm(smp)) {

		err = smp_send_pairing_confirm(smp);

		if (err) {

			smp_error(smp, BT_SMP_ERR_PASSKEY_ENTRY_FAILED);

			return 0;

		}

		atomic_set_bit(smp->flags, SMP_FLAG_DHCHECK_WAIT);

	}

	smp_send_pairing_random(smp);

	return 0;

	return smp_send_pairing_random(smp);

}

int bt_smp_le_oob_set_sc_data(struct bt_conn *conn,