[PATCH 9/9] Bluetooth: Fix properly ignoring unexpected SMP PDUs

Linux bluetooth development
 help / color / mirror / Atom feed

From: johan.hedberg@gmail.com
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH 9/9] Bluetooth: Fix properly ignoring unexpected SMP PDUs
Date: Tue, 18 Feb 2014 10:19:37 +0200	[thread overview]
Message-ID: <1392711577-31431-9-git-send-email-johan.hedberg@gmail.com> (raw)
In-Reply-To: <1392711577-31431-1-git-send-email-johan.hedberg@gmail.com>

From: Johan Hedberg <johan.hedberg@intel.com>

If we didn't request certain pieces of information during the key
distribution negotiation we should properly ignore those PDUs if the
peer incorrectly sends them. This includes the Encryption Information
and Master Identification PDUs if the EncKey bit was not set, and the
Identity Information and Identity Address Information PDUs if the IdKey
bit was not set.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
 net/bluetooth/smp.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 024baa789eb9..5867c1c3f436 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -891,6 +891,10 @@ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
 	if (skb->len < sizeof(*rp))
 		return SMP_UNSPECIFIED;
 
+	/* Ignore this PDU if it wasn't requested */
+	if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
+		return 0;
+
 	skb_pull(skb, sizeof(*rp));
 
 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
@@ -911,6 +915,10 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
 	if (skb->len < sizeof(*rp))
 		return SMP_UNSPECIFIED;
 
+	/* Ignore this PDU if it wasn't requested */
+	if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
+		return 0;
+
 	skb_pull(skb, sizeof(*rp));
 
 	hci_dev_lock(hdev);
@@ -935,6 +943,10 @@ static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
 	if (skb->len < sizeof(*info))
 		return SMP_UNSPECIFIED;
 
+	/* Ignore this PDU if it wasn't requested */
+	if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
+		return 0;
+
 	skb_pull(skb, sizeof(*info));
 
 	memcpy(smp->irk, info->irk, 16);
@@ -955,6 +967,10 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
 	if (skb->len < sizeof(*info))
 		return SMP_UNSPECIFIED;
 
+	/* Ignore this PDU if it wasn't requested */
+	if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
+		return 0;
+
 	skb_pull(skb, sizeof(*info));
 
 	bacpy(&smp->id_addr, &info->bdaddr);
-- 
1.8.5.3

     prev parent reply	other threads:[~2014-02-18  8:19 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-18  8:19 [PATCH 1/9] Bluetooth: Fix missing PDU length checks for SMP johan.hedberg
2014-02-18  8:19 ` [PATCH 2/9] Bluetooth: Fix minor whitespace issues in SMP code johan.hedberg
2014-02-18  8:19 ` [PATCH 3/9] Bluetooth: Add smp_irk_matches helper function johan.hedberg
2014-02-18  8:19 ` [PATCH 4/9] Bluetooth: Add AES crypto context for each HCI device johan.hedberg
2014-02-18  8:40   ` [PATCH v2] " johan.hedberg
2014-02-18  8:54     ` Marcel Holtmann
2014-02-18  8:19 ` [PATCH 5/9] Bluetooth: Add basic IRK management support johan.hedberg
2014-02-18  8:19 ` [PATCH 6/9] Bluetooth: Add hci_bdaddr_is_rpa convenience function johan.hedberg
2014-02-18  8:19 ` [PATCH 7/9] Bluetooth: Implement mgmt_load_irks command johan.hedberg
2014-02-18  8:19 ` [PATCH 8/9] Bluetooth: Enable support for remote IRK distribution johan.hedberg
2014-02-18  8:19 ` johan.hedberg [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:024baa789eb dfblob:5867c1c3f43 )
 OR (
bs:"[PATCH 9/9] Bluetooth: Fix properly ignoring unexpected SMP PDUs" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1392711577-31431-9-git-send-email-johan.hedberg@gmail.com \
    --to=johan.hedberg@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox