Linux bluetooth development
 help / color / mirror / Atom feed
From: Marcel Holtmann <marcel@holtmann.org>
To: Johan Hedberg <johan.hedberg@gmail.com>
Cc: linux-bluetooth@vger.kernel.org
Subject: Re: [PATCH 07/10] Bluetooth: Fix checking for valid address type values in mgmt commands
Date: Fri, 18 Jan 2013 08:53:14 -0800	[thread overview]
Message-ID: <1358527994.5510.4.camel@aeonflux> (raw)
In-Reply-To: <1358515558-17861-8-git-send-email-johan.hedberg@gmail.com>

Hi Johan,

> This patch adds checks for valid address type values passed to mgmt
> commands. If an invalid address type is encountered the code will return
> a proper invalid params response.
> 
> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
> ---
>  net/bluetooth/mgmt.c |   43 ++++++++++++++++++++++++++++++++++++++-----
>  1 file changed, 38 insertions(+), 5 deletions(-)
> 
> diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> index 76301a3..3de4bc2 100644
> --- a/net/bluetooth/mgmt.c
> +++ b/net/bluetooth/mgmt.c
> @@ -1506,7 +1506,7 @@ static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
>  {
>  	struct mgmt_cp_load_link_keys *cp = data;
>  	u16 key_count, expected_len;
> -	int i;
> +	int i, err;
>  
>  	key_count = __le16_to_cpu(cp->key_count);
>  
> @@ -1540,15 +1540,24 @@ static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
>  	for (i = 0; i < key_count; i++) {
>  		struct mgmt_link_key_info *key = &cp->keys[i];
>  
> +		if (key->addr.type != BDADDR_BREDR) {
> +			clear_bit(HCI_DEBUG_KEYS, &hdev->dev_flags);
> +			hci_link_keys_clear(hdev);
> +			err = cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
> +					 MGMT_STATUS_INVALID_PARAMS);
> +			goto unlock;
> +		}
> +
>  		hci_add_link_key(hdev, NULL, 0, &key->addr.bdaddr, key->val,
>  				 key->type, key->pin_len);
>  	}

I am not a huge fan of doing it this way (same applies to LTKs). You are
introducing a side effect here. An invalid command will clear the keys.

Please check the validity of the key parameters ahead of time and not in
the middle of applying them. Your rollback is broken since it just
clears all keys.

We could add /sys/kernel/debug/bluetooth/hci0/link_keys as a root-only
entry to allow checking this mgmt-tester.

Regards

Marcel



  reply	other threads:[~2013-01-18 16:53 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-01-18 13:25 [PATCH 00/10] Bluetooth: Fix more mgmt parameter checks Johan Hedberg
2013-01-18 13:25 ` [PATCH 01/10] Bluetooth: Fix checking for correct mgmt_load_link_keys parameters Johan Hedberg
2013-01-18 16:55   ` Marcel Holtmann
2013-01-18 13:25 ` [PATCH 02/10] Bluetooth: Fix returning proper mgmt status for Load LTKs Johan Hedberg
2013-01-18 16:55   ` Marcel Holtmann
2013-01-18 13:25 ` [PATCH 03/10] Bluetooth: Fix checking for proper key->master value in " Johan Hedberg
2013-01-18 13:25 ` [PATCH 04/10] Bluetooth: Refactor valid LTK data testing into its own function Johan Hedberg
2013-01-18 13:25 ` [PATCH 05/10] Bluetooth: Check for valid key->authenticated value for LTKs Johan Hedberg
2013-01-18 13:25 ` [PATCH 06/10] Bluetooth: Add helper functions for testing bdaddr types Johan Hedberg
2013-01-18 13:25 ` [PATCH 07/10] Bluetooth: Fix checking for valid address type values in mgmt commands Johan Hedberg
2013-01-18 16:53   ` Marcel Holtmann [this message]
2013-01-18 13:25 ` [PATCH 08/10] Bluetooth: Fix checking for valid disconnect parameters in unpair_device Johan Hedberg
2013-01-18 16:54   ` Marcel Holtmann
2013-01-18 13:25 ` [PATCH 09/10] Bluetooth: Fix returning proper cmd_complete for mgmt_disconnect Johan Hedberg
2013-01-18 13:25 ` [PATCH 10/10] Bluetooth: Fix returning proper cmd_complete for mgmt_block/unblock Johan Hedberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1358527994.5510.4.camel@aeonflux \
    --to=marcel@holtmann.org \
    --cc=johan.hedberg@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox