Clear the link key when releasing security records
Test: compilation
Bug: 127479372
Change-Id: Ia571a2048fa5ca85c45b03b39d398e480aadb55a
Merged-In: Ia571a2048fa5ca85c45b03b39d398e480aadb55a
(cherry picked from commit acb0a7eb17ec327b46071bc482c8b9687b730fdc)
diff --git a/stack/btm/btm_dev.cc b/stack/btm/btm_dev.cc
index 5368fad..4aa0c04 100644
--- a/stack/btm/btm_dev.cc
+++ b/stack/btm/btm_dev.cc
@@ -149,6 +149,12 @@
return true;
}
+void wipe_secrets_and_remove(tBTM_SEC_DEV_REC* p_dev_rec) {
+ memset(p_dev_rec->link_key, 0, LINK_KEY_LEN);
+ memset(&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
+ list_remove(btm_cb.sec_dev_rec, p_dev_rec);
+}
+
/** Free resources associated with the device associated with |bd_addr| address.
*
* *** WARNING ***
@@ -170,7 +176,10 @@
tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
if (p_dev_rec != NULL) {
RawAddress bda = p_dev_rec->bd_addr;
- btm_sec_free_dev(p_dev_rec);
+
+ /* Clear out any saved BLE keys */
+ btm_sec_clear_ble_keys(p_dev_rec);
+ wipe_secrets_and_remove(p_dev_rec);
/* Tell controller to get rid of the link key, if it has one stored */
BTM_DeleteStoredLinkKey(&bda, NULL);
}
@@ -257,19 +266,6 @@
/*******************************************************************************
*
- * Function btm_sec_free_dev
- *
- * Description Mark device record as not used
- *
- ******************************************************************************/
-void btm_sec_free_dev(tBTM_SEC_DEV_REC* p_dev_rec) {
- /* Clear out any saved BLE keys */
- btm_sec_clear_ble_keys(p_dev_rec);
- list_remove(btm_cb.sec_dev_rec, p_dev_rec);
-}
-
-/*******************************************************************************
- *
* Function btm_dev_support_switch
*
* Description This function is called by the L2CAP to check if remote
@@ -413,7 +409,7 @@
p_target_rec->bond_type = temp_rec.bond_type;
/* remove the combined record */
- list_remove(btm_cb.sec_dev_rec, p_dev_rec);
+ wipe_secrets_and_remove(p_dev_rec);
// p_dev_rec gets freed in list_remove, we should not access it further
continue;
}
@@ -425,7 +421,7 @@
p_target_rec->device_type |= p_dev_rec->device_type;
/* remove the combined record */
- list_remove(btm_cb.sec_dev_rec, p_dev_rec);
+ wipe_secrets_and_remove(p_dev_rec);
}
}
}
@@ -514,7 +510,7 @@
if (list_length(btm_cb.sec_dev_rec) > BTM_SEC_MAX_DEVICE_RECORDS) {
p_dev_rec = btm_find_oldest_dev_rec();
- list_remove(btm_cb.sec_dev_rec, p_dev_rec);
+ wipe_secrets_and_remove(p_dev_rec);
}
p_dev_rec =
diff --git a/stack/btm/btm_int.h b/stack/btm/btm_int.h
index 21f7ce3..761061e 100644
--- a/stack/btm/btm_int.h
+++ b/stack/btm/btm_int.h
@@ -208,7 +208,7 @@
extern tBTM_SEC_DEV_REC* btm_sec_allocate_dev_rec(void);
extern tBTM_SEC_DEV_REC* btm_sec_alloc_dev(const RawAddress& bd_addr);
-extern void btm_sec_free_dev(tBTM_SEC_DEV_REC* p_dev_rec);
+extern void wipe_secrets_and_remove(tBTM_SEC_DEV_REC* p_dev_rec);
extern tBTM_SEC_DEV_REC* btm_find_dev(const RawAddress& bd_addr);
extern tBTM_SEC_DEV_REC* btm_find_or_alloc_dev(const RawAddress& bd_addr);
extern tBTM_SEC_DEV_REC* btm_find_dev_by_handle(uint16_t handle);
diff --git a/stack/btm/btm_main.cc b/stack/btm/btm_main.cc
index 011feb7..13d977e 100644
--- a/stack/btm/btm_main.cc
+++ b/stack/btm/btm_main.cc
@@ -83,6 +83,16 @@
fixed_queue_free(btm_cb.sec_pending_q, NULL);
btm_cb.sec_pending_q = NULL;
+ list_node_t* end = list_end(btm_cb.sec_dev_rec);
+ list_node_t* node = list_begin(btm_cb.sec_dev_rec);
+ while (node != end) {
+ tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
+
+ // we do list_remove in, must grab next before removing
+ node = list_next(node);
+ wipe_secrets_and_remove(p_dev_rec);
+ }
+
list_free(btm_cb.sec_dev_rec);
btm_cb.sec_dev_rec = NULL;
