From: johan.hedberg@gmail.com
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH 2/6] Bluetooth: Fix ignoring unknown SMP authentication requirement bits
Date: Wed, 10 Sep 2014 17:37:42 -0700 [thread overview]
Message-ID: <1410395866-24301-3-git-send-email-johan.hedberg@gmail.com> (raw)
In-Reply-To: <1410395866-24301-1-git-send-email-johan.hedberg@gmail.com>
From: Johan Hedberg <johan.hedberg@intel.com>
The SMP specification states that we should ignore any unknown bits from
the authentication requirement. We already have a define for masking out
unknown bits but we haven't used it in all places so far. This patch
adds usage of the AUTH_REQ_MASK to all places that need it and ensures
that we don't pass unknown bits onward to other functions.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
net/bluetooth/smp.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index dbd17a07dc2e..ef8f96d2c059 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -949,8 +949,11 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
if (!smp)
return SMP_UNSPECIFIED;
+ /* We didn't start the pairing, so match remote */
+ auth = req->auth_req & AUTH_REQ_MASK;
+
if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
- (req->auth_req & SMP_AUTH_BONDING))
+ (auth & SMP_AUTH_BONDING))
return SMP_PAIRING_NOTSUPP;
SMP_DISALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
@@ -959,9 +962,6 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
memcpy(&smp->preq[1], req, sizeof(*req));
skb_pull(skb, sizeof(*req));
- /* We didn't start the pairing, so match remote */
- auth = req->auth_req;
-
sec_level = authreq_to_seclevel(auth);
if (sec_level > conn->hcon->pending_sec_level)
conn->hcon->pending_sec_level = sec_level;
@@ -1024,6 +1024,8 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
if (check_enc_key_size(conn, key_size))
return SMP_ENC_KEY_SIZE;
+ auth = rsp->auth_req & AUTH_REQ_MASK;
+
/* If we need MITM check that it can be acheived */
if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
u8 method;
@@ -1044,7 +1046,7 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
*/
smp->remote_key_dist &= rsp->resp_key_dist;
- auth = (req->auth_req | rsp->auth_req);
+ auth |= req->auth_req;
ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
if (ret)
@@ -1160,7 +1162,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
struct smp_cmd_pairing cp;
struct hci_conn *hcon = conn->hcon;
struct smp_chan *smp;
- u8 sec_level;
+ u8 sec_level, auth;
BT_DBG("conn %p", conn);
@@ -1170,7 +1172,9 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
if (hcon->role != HCI_ROLE_MASTER)
return SMP_CMD_NOTSUPP;
- sec_level = authreq_to_seclevel(rp->auth_req);
+ auth = rp->auth_req & AUTH_REQ_MASK;
+
+ sec_level = authreq_to_seclevel(auth);
if (smp_sufficient_security(hcon, sec_level))
return 0;
@@ -1185,13 +1189,13 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
return SMP_UNSPECIFIED;
if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
- (rp->auth_req & SMP_AUTH_BONDING))
+ (auth & SMP_AUTH_BONDING))
return SMP_PAIRING_NOTSUPP;
skb_pull(skb, sizeof(*rp));
memset(&cp, 0, sizeof(cp));
- build_pairing_cmd(conn, &cp, NULL, rp->auth_req);
+ build_pairing_cmd(conn, &cp, NULL, auth);
smp->preq[0] = SMP_CMD_PAIRING_REQ;
memcpy(&smp->preq[1], &cp, sizeof(cp));
--
1.9.3
next prev parent reply other threads:[~2014-09-11 0:37 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-11 0:37 [PATCH 0/6] Bluetooth: SMP and some other fixes johan.hedberg
2014-09-11 0:37 ` [PATCH 1/6] Bluetooth: Remove unnecessary early initialization of variable johan.hedberg
2014-09-11 0:37 ` johan.hedberg [this message]
2014-09-11 0:37 ` [PATCH 3/6] Bluetooth: Centralize disallowing SMP commands to a single place johan.hedberg
2014-09-11 0:37 ` [PATCH 4/6] Bluetooth: Fix SMP security level when we have no IO capabilities johan.hedberg
2014-09-11 0:37 ` [PATCH 5/6] Bluetooth: Add smp_ltk_sec_level() helper function johan.hedberg
2014-09-11 0:37 ` [PATCH 6/6] Bluetooth: Fix L2CAP information request handling for fixed channels johan.hedberg
2014-09-11 0:47 ` [PATCH 0/6] Bluetooth: SMP and some other fixes Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1410395866-24301-3-git-send-email-johan.hedberg@gmail.com \
--to=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.