From: johan.hedberg@gmail.com
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH v2 30/32] Bluetooth: Fix validating LE PSM values
Date: Thu, 5 Dec 2013 15:11:28 +0200 [thread overview]
Message-ID: <1386249090-10236-31-git-send-email-johan.hedberg@gmail.com> (raw)
In-Reply-To: <1386249090-10236-1-git-send-email-johan.hedberg@gmail.com>
From: Johan Hedberg <johan.hedberg@intel.com>
LE PSM values have different ranges than those for BR/EDR. The valid
ranges for fixed, SIG assigned values is 0x0001-0x007f and for dynamic
PSM values 0x0080-0x00ff. We need to ensure that bind() and connect()
calls conform to these ranges when operating on LE CoC sockets.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
net/bluetooth/l2cap_core.c | 15 +++++++++++++--
net/bluetooth/l2cap_sock.c | 40 +++++++++++++++++++++++++++++++---------
2 files changed, 44 insertions(+), 11 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index e447bbedcabf..c638c280db40 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1861,6 +1861,18 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
return c1;
}
+static bool is_valid_psm(u16 psm, u8 dst_type)
+{
+ if (!psm)
+ return false;
+
+ if (bdaddr_type_is_le(dst_type))
+ return (psm < 0x00ff);
+
+ /* PSM must be odd and lsb of upper byte must be 0 */
+ return ((psm & 0x0101) == 0x0001);
+}
+
int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
bdaddr_t *dst, u8 dst_type)
{
@@ -1881,8 +1893,7 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
l2cap_chan_lock(chan);
- /* PSM must be odd and lsb of upper byte must be 0 */
- if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
+ if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
chan->chan_type != L2CAP_CHAN_RAW) {
err = -EINVAL;
goto done;
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index c2424782c245..f4471fd6e99e 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -53,6 +53,32 @@ bool l2cap_is_socket(struct socket *sock)
}
EXPORT_SYMBOL(l2cap_is_socket);
+static int l2cap_validate_bredr_psm(u16 psm)
+{
+ /* PSM must be odd and lsb of upper byte must be 0 */
+ if ((psm & 0x0101) != 0x0001)
+ return -EINVAL;
+
+ /* Restrict usage of well-known PSMs */
+ if (psm < 0x1001 && !capable(CAP_NET_BIND_SERVICE))
+ return -EACCES;
+
+ return 0;
+}
+
+static int l2cap_validate_le_psm(u16 psm)
+{
+ /* Valid LE_PSM ranges are defined only until 0x00ff */
+ if (psm > 0x00ff)
+ return -EINVAL;
+
+ /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
+ if (psm <= 0x007f && !capable(CAP_NET_BIND_SERVICE))
+ return -EACCES;
+
+ return 0;
+}
+
static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
{
struct sock *sk = sock->sk;
@@ -94,17 +120,13 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
if (la.l2_psm) {
__u16 psm = __le16_to_cpu(la.l2_psm);
- /* PSM must be odd and lsb of upper byte must be 0 */
- if ((psm & 0x0101) != 0x0001) {
- err = -EINVAL;
- goto done;
- }
+ if (la.l2_bdaddr_type == BDADDR_BREDR)
+ err = l2cap_validate_bredr_psm(psm);
+ else
+ err = l2cap_validate_le_psm(psm);
- /* Restrict usage of well-known PSMs */
- if (psm < 0x1001 && !capable(CAP_NET_BIND_SERVICE)) {
- err = -EACCES;
+ if (err)
goto done;
- }
}
if (la.l2_cid)
--
1.8.4.2
next prev parent reply other threads:[~2013-12-05 13:11 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-05 13:10 [PATCH v2 00/32] Bluetooth: LE CoC support johan.hedberg
2013-12-05 13:10 ` [PATCH v2 01/32] Bluetooth: Remove unnecessary braces from one-line if-statement johan.hedberg
2013-12-05 13:11 ` [PATCH v2 02/32] Bluetooth: Add module parameter to enable LE CoC support johan.hedberg
2013-12-05 13:11 ` [PATCH v2 03/32] Bluetooth: Update l2cap_global_chan_by_psm() to take a link type johan.hedberg
2013-12-05 13:11 ` [PATCH v2 04/32] Bluetooth: Allow l2cap_chan_check_security() to be used for LE links johan.hedberg
2013-12-05 13:11 ` [PATCH v2 05/32] Bluetooth: Pass command length to LE signaling channel handlers johan.hedberg
2013-12-05 13:11 ` [PATCH v2 06/32] Bluetooth: Move LE L2CAP initiator procedure to its own function johan.hedberg
2013-12-05 13:11 ` [PATCH v2 07/32] Bluetooth: Add definitions for LE connection oriented channels johan.hedberg
2013-12-05 13:11 ` [PATCH v2 08/32] Bluetooth: Add initial code for LE L2CAP Connect Request johan.hedberg
2013-12-05 13:11 ` [PATCH v2 09/32] Bluetooth: Add smp_sufficient_security helper function johan.hedberg
2013-12-05 13:11 ` [PATCH v2 10/32] Bluetooth: Refactor L2CAP connect rejection to its own function johan.hedberg
2013-12-05 13:11 ` [PATCH v2 11/32] Bluetooth: Add basic LE L2CAP connect request receiving support johan.hedberg
2013-12-05 13:11 ` [PATCH v2 12/32] Bluetooth: Fix L2CAP channel closing for LE connections johan.hedberg
2013-12-05 13:11 ` [PATCH v2 13/32] Bluetooth: Add L2CAP Disconnect suppport for LE johan.hedberg
2013-12-05 13:11 ` [PATCH v2 14/32] Bluetooth: Make l2cap_le_sig_cmd logic consistent johan.hedberg
2013-12-05 13:11 ` [PATCH v2 15/32] Bluetooth: Add LE L2CAP flow control mode johan.hedberg
2013-12-05 13:11 ` [PATCH v2 16/32] Bluetooth: Track LE L2CAP credits in l2cap_chan johan.hedberg
2013-12-05 13:11 ` [PATCH v2 17/32] Bluetooth: Limit L2CAP_OPTIONS socket option usage with LE johan.hedberg
2013-12-05 13:11 ` [PATCH v2 18/32] Bluetooth: Add new BT_SNDMTU and BT_RCVMTU socket options johan.hedberg
2013-12-05 13:11 ` [PATCH v2 19/32] Bluetooth: Implement returning of LE L2CAP credits johan.hedberg
2013-12-05 13:11 ` [PATCH v2 20/32] Bluetooth: Add LE flow control discipline johan.hedberg
2013-12-05 13:11 ` [PATCH v2 21/32] Bluetooth: Reject LE CoC commands when the feature is not enabled johan.hedberg
2013-12-05 13:11 ` [PATCH v2 22/32] Bluetooth: Introduce L2CAP channel callback for suspending johan.hedberg
2013-12-05 13:11 ` [PATCH v2 23/32] Bluetooth: Add LE L2CAP segmentation support for outgoing data johan.hedberg
2013-12-05 13:11 ` [PATCH v2 24/32] Bluetooth: Implement LE L2CAP reassembly johan.hedberg
2013-12-05 13:11 ` [PATCH v2 25/32] Bluetooth: Fix LE L2CAP Connect Request handling together with SMP johan.hedberg
2013-12-05 13:11 ` [PATCH v2 26/32] Bluetooth: Fix suspending the L2CAP socket if we start with 0 credits johan.hedberg
2013-12-05 13:11 ` [PATCH v2 27/32] Bluetooth: Limit LE MPS to the MTU value johan.hedberg
2013-12-05 13:11 ` [PATCH v2 28/32] Bluetooth: Fix clearing of chan->omtu for LE CoC channels johan.hedberg
2013-12-05 13:11 ` [PATCH v2 29/32] Bluetooth: Fix CID ranges for LE CoC CID allocations johan.hedberg
2013-12-05 13:11 ` johan.hedberg [this message]
2013-12-06 0:02 ` [PATCH v2 30/32] Bluetooth: Fix validating LE PSM values Anderson Lizardo
2013-12-06 5:05 ` Johan Hedberg
2013-12-05 13:11 ` [PATCH v2 31/32] Bluetooth: Add debugfs controls for LE CoC MPS and Credits johan.hedberg
2013-12-05 13:11 ` [PATCH v2 32/32] Bluetooth: Simplify l2cap_chan initialization for LE CoC johan.hedberg
2013-12-05 15:06 ` [PATCH v2 00/32] Bluetooth: LE CoC support Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1386249090-10236-31-git-send-email-johan.hedberg@gmail.com \
--to=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).