bluetooth: host: Fix simultaneous pairings getting the same keys slot

Fix an issue where a slot in the key pool was considered free when
either the address was cleared or no keys were written in the entry
(enc_size == 0). This caused a problem with simultaneous pairing
attempts that would be assigned the same entry.

This patch makes it so a a slot is considered free even when keys are
not yet present in the entry, and makes sure the address is cleared in
case of pairing failure or timeout so to mark the slot as free.

Signed-off-by: François Delawarde <[email protected]>

Author: fnde-ot

subsys/bluetooth/host/smp.c

@@ -1579,8 +1579,18 @@ static void smp_pairing_complete(struct bt_smp *smp, u8_t status)
 			bt_auth->pairing_complete(smp->chan.chan.conn,
 						  bond_flag);
 		}
-	} else if (bt_auth && bt_auth->pairing_failed) {
-		bt_auth->pairing_failed(smp->chan.chan.conn);
+	} else {
+		/*
+		 * Clear the key pool entry in case of pairing failure.
+		 */
+		if (smp->chan.chan.conn->le.keys) {
+			bt_keys_clear(smp->chan.chan.conn->le.keys);
+			smp->chan.chan.conn->le.keys = NULL;
+		}
+
+		if (bt_auth && bt_auth->pairing_failed) {
+			bt_auth->pairing_failed(smp->chan.chan.conn);
+		}
 	}
 
 	smp_reset(smp);
@@ -1592,15 +1602,6 @@ static void smp_timeout(struct k_work *work)
 
 	BT_ERR("SMP Timeout");
 
-	/*
-	 * If SMP timeout occurred during key distribution we should assume
-	 * pairing failed and don't store any keys from this pairing.
-	 */
-	if (atomic_test_bit(smp->flags, SMP_FLAG_KEYS_DISTR) &&
-	    smp->chan.chan.conn->le.keys) {
-		bt_keys_clear(smp->chan.chan.conn->le.keys);
-	}
-
 	smp_pairing_complete(smp, BT_SMP_ERR_UNSPECIFIED);
 
 	atomic_set_bit(smp->flags, SMP_FLAG_TIMEOUT);
@@ -3092,15 +3093,6 @@ static u8_t smp_pairing_failed(struct bt_smp *smp, struct net_buf *buf)
 		}
 	}
 
-	/*
-	 * Pairing Failed command may be sent at any time during the pairing,
-	 * so if there are any keys distributed, shall be cleared.
-	 */
-	if (atomic_test_bit(smp->flags, SMP_FLAG_KEYS_DISTR) &&
-	    smp->chan.chan.conn->le.keys) {
-		bt_keys_clear(smp->chan.chan.conn->le.keys);
-	}
-
 	smp_pairing_complete(smp, req->reason);
 
 	/* return no error to avoid sending Pairing Failed in response */