diff --git a/src/protocols/secure_channel/PASESession.cpp b/src/protocols/secure_channel/PASESession.cpp index 638b99624bae6c..4bf1aa55217c57 100644 --- a/src/protocols/secure_channel/PASESession.cpp +++ b/src/protocols/secure_channel/PASESession.cpp @@ -232,7 +232,15 @@ CHIP_ERROR PASESession::Pair(SessionManager & sessionManager, uint32_t peerSetUp exit: if (err != CHIP_NO_ERROR) { + // If a failure happens before we have placed the incoming exchange into `mExchangeCtxt`, we need to make + // sure to close the exchange to fulfill our API contract. + if (!mExchangeCtxt.HasValue()) + { + exchangeCtxt->Close(); + } Clear(); + ChipLogError(SecureChannel, "Failed during PASE session pairing request: %" CHIP_ERROR_FORMAT, err.Format()); + MATTER_TRACE_COUNTER("PASEFail"); } return err; } diff --git a/src/protocols/secure_channel/PASESession.h b/src/protocols/secure_channel/PASESession.h index 2e731283c88aa8..92b4ee3d8b991c 100644 --- a/src/protocols/secure_channel/PASESession.h +++ b/src/protocols/secure_channel/PASESession.h @@ -99,6 +99,8 @@ class DLL_EXPORT PASESession : public Messaging::UnsolicitedMessageHandler, * ownership of the exchangeCtxt to PASESession object. PASESession * will close the exchange on (successful/failed) handshake completion. * @param delegate Callback object + * The delegate will be notified if and only if Pair() returns success. Errors occurring after Pair() + * returns success will be reported via the delegate. * * @return CHIP_ERROR The result of initialization */