Pull request: bluetooth-2.6 2010-07-08

Pull request: bluetooth-2.6 2010-07-08

[Marcel Holtmann]

Hi Dave,

so I took the two security fixes and the interoperability fix for basic
mode L2CAP connections and combined them here.

All the other patches where bug fixes with L2CAP ERTM support and I will
send them separately.

Regards

Marcel


Please pull from

    git://git.kernel.org/pub/scm/linux/kernel/git/holtmann/bluetooth-2.6.git master

This will update the following files:

 net/bluetooth/hci_conn.c  |    5 +++++
 net/bluetooth/hci_event.c |    2 ++
 net/bluetooth/l2cap.c     |   14 +++++++++++---
 3 files changed, 18 insertions(+), 3 deletions(-)

through these ChangeSets:

Andrei Emeltchenko (1):
    Bluetooth: Check L2CAP pending status before sending connect request

Johan Hedberg (1):
    Bluetooth: Reset the security level after an authentication failure

Ville Tervo (1):
    Bluetooth: Update sec_level/auth_type for already existing connections

[PATCH 1/3] Bluetooth: Check L2CAP pending status before sending connect request

[Marcel Holtmann]

From: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>

Due to race condition in L2CAP state machine L2CAP Connection Request
may be sent twice for SDP with the same source channel id. Problems
reported connecting to Apple products, some carkit, Blackberry phones.

...
2010-06-07 21:18:03.651031 < ACL data: handle 1 flags 0x02 dlen 12
    L2CAP(s): Connect req: psm 1 scid 0x0040
2010-06-07 21:18:03.653473 > HCI Event: Number of Completed Packets (0x13) plen 5
    handle 1 packets 1
2010-06-07 21:18:03.653808 > HCI Event: Auth Complete (0x06) plen 3
    status 0x00 handle 1
2010-06-07 21:18:03.653869 < ACL data: handle 1 flags 0x02 dlen 12
    L2CAP(s): Connect req: psm 1 scid 0x0040
...

Patch uses L2CAP_CONF_CONNECT_PEND flag to mark that L2CAP Connection
Request has been sent already.

Modified version of patch from Ville Tervo.

Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
---
 net/bluetooth/l2cap.c |   14 +++++++++++---
 1 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 1b682a5..cf3c407 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -401,6 +401,11 @@ static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
 	l2cap_send_sframe(pi, control);
 }
 
+static inline int __l2cap_no_conn_pending(struct sock *sk)
+{
+	return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
+}
+
 static void l2cap_do_start(struct sock *sk)
 {
 	struct l2cap_conn *conn = l2cap_pi(sk)->conn;
@@ -409,12 +414,13 @@ static void l2cap_do_start(struct sock *sk)
 		if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
 			return;
 
-		if (l2cap_check_security(sk)) {
+		if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) {
 			struct l2cap_conn_req req;
 			req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
 			req.psm  = l2cap_pi(sk)->psm;
 
 			l2cap_pi(sk)->ident = l2cap_get_ident(conn);
+			l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
 
 			l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
 					L2CAP_CONN_REQ, sizeof(req), &req);
@@ -464,12 +470,14 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
 		}
 
 		if (sk->sk_state == BT_CONNECT) {
-			if (l2cap_check_security(sk)) {
+			if (l2cap_check_security(sk) &&
+					__l2cap_no_conn_pending(sk)) {
 				struct l2cap_conn_req req;
 				req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
 				req.psm  = l2cap_pi(sk)->psm;
 
 				l2cap_pi(sk)->ident = l2cap_get_ident(conn);
+				l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
 
 				l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
 					L2CAP_CONN_REQ, sizeof(req), &req);
@@ -2912,7 +2920,6 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
 		l2cap_pi(sk)->ident = 0;
 		l2cap_pi(sk)->dcid = dcid;
 		l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
-
 		l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
 
 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
@@ -4404,6 +4411,7 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
 				req.psm  = l2cap_pi(sk)->psm;
 
 				l2cap_pi(sk)->ident = l2cap_get_ident(conn);
+				l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
 
 				l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
 					L2CAP_CONN_REQ, sizeof(req), &req);
-- 
1.7.1.1

[PATCH 2/3] Bluetooth: Reset the security level after an authentication failure

[Marcel Holtmann]

From: Johan Hedberg <johan.hedberg@nokia.com>

When authentication fails for a connection the assumed security level
should be set back to BT_SECURITY_LOW so that subsequent connect
attempts over the same link don't falsely assume that security is
adequate enough.

Signed-off-by: Johan Hedberg <johan.hedberg@nokia.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
---
 net/bluetooth/hci_event.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 6c57fc7..786b5de 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1049,6 +1049,8 @@ static inline void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *s
 	if (conn) {
 		if (!ev->status)
 			conn->link_mode |= HCI_LM_AUTH;
+		else
+			conn->sec_level = BT_SECURITY_LOW;
 
 		clear_bit(HCI_CONN_AUTH_PEND, &conn->pend);
 
-- 
1.7.1.1

[PATCH 3/3] Bluetooth: Update sec_level/auth_type for already existing connections

[Marcel Holtmann]

From: Ville Tervo <ville.tervo@nokia.com>

Update auth level for already existing connections if it is lower
than required by new connection.

Signed-off-by: Ville Tervo <ville.tervo@nokia.com>
Reviewed-by: Emeltchenko Andrei <andrei.emeltchenko@nokia.com>
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
---
 net/bluetooth/hci_conn.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index b10e3cd..800b6b9 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -358,6 +358,11 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
 		acl->sec_level = sec_level;
 		acl->auth_type = auth_type;
 		hci_acl_connect(acl);
+	} else {
+		if (acl->sec_level < sec_level)
+			acl->sec_level = sec_level;
+		if (acl->auth_type < auth_type)
+			acl->auth_type = auth_type;
 	}
 
 	if (type == ACL_LINK)
-- 
1.7.1.1

Re: Pull request: bluetooth-2.6 2010-07-08

[David Miller]

From: Marcel Holtmann <marcel@holtmann.org>
Date: Thu,  8 Jul 2010 20:40:50 -0300

> Hi Dave,
> 
> so I took the two security fixes and the interoperability fix for basic
> mode L2CAP connections and combined them here.
> 
> All the other patches where bug fixes with L2CAP ERTM support and I will
> send them separately.
 ...
> Please pull from
> 
>     git://git.kernel.org/pub/scm/linux/kernel/git/holtmann/bluetooth-2.6.git master

Pulled, thanks.

Pull request: bluetooth-2.6 2010-07-08

[Marcel Holtmann]

Hi Dave,

these patches fix a few bugs and crashes and also two security related
issues with the authentication procedure.

This will also be my last pull request for you. From now on all future
patches will be submitted towards John's wireless trees. That way we
can coordindate the development of Bluetooth 3.0 (Bluetooth over WiFi)
and avoid any kind of conflicts.

Regards

Marcel


Please pull from

    git://git.kernel.org/pub/scm/linux/kernel/git/holtmann/bluetooth-2.6.git master

This will update the following files:

 net/bluetooth/Kconfig     |   13 ----
 net/bluetooth/hci_conn.c  |    5 ++
 net/bluetooth/hci_event.c |    2 +
 net/bluetooth/l2cap.c     |  138 +++++++++++++++++++++++++++------------------
 4 files changed, 90 insertions(+), 68 deletions(-)

through these ChangeSets:

Andrei Emeltchenko (1):
    Bluetooth: Check L2CAP pending status before sending connect request

Gustavo F. Padovan (8):
    Bluetooth: Remove max_tx and tx_window module paramenters from L2CAP
    Bluetooth: Remove L2CAP Extended Features from Kconfig
    Bluetooth: Fix drop of packets with invalid req_seq/tx_seq
    Bluetooth: Fix bug with ERTM vars increment
    Bluetooth: Only check SAR bits if frame is an I-frame
    Bluetooth: Fix bug in l2cap_ertm_send() behavior
    Bluetooth: Proper shutdown ERTM when closing the channel
    Bluetooth: Fix L2CAP control bit field corruption

Johan Hedberg (1):
    Bluetooth: Reset the security level after an authentication failure

João Paulo Rechi Vita (1):
    Bluetooth: Fix SREJ_QUEUE corruption in L2CAP

Nathan Holstein (1):
    Bluetooth: Fix bug with ERTM minimum packet length

Ville Tervo (1):
    Bluetooth: Update sec_level/auth_type for already existing connections

Re: Pull request: bluetooth-2.6 2010-07-08

[David Miller]

From: Marcel Holtmann <marcel@holtmann.org>
Date: Thu,  8 Jul 2010 16:59:49 -0300

> these patches fix a few bugs and crashes and also two security related
> issues with the authentication procedure.

13 changes is too much this late in the -RC series.  Fixes need to
trickle in, in small quantities, and therefore it's critical that
maintainers submit fixes often and as soon as they are ready.

Please pick a small number of the most critical fixes, say 3 or 4.  An
easy way to roughly quantify which ones shoule be included is:

1) Is there an OOPS or crash regression reported by real users and
   listed in the official lkml regression list which is caused by this
   problem?

2) Is there an exploitable security concern fixed by this change?

Else, it's only net-next-2.6 material.

For example:

    Bluetooth: Remove max_tx and tx_window module paramenters from L2CAP

Things like that change are absolutely not appropriate at this
stage in the post merge-window development environment.

Thanks.

Re: Pull request: bluetooth-2.6 2010-07-08

[Marcel Holtmann]

Hi Dave,

> > these patches fix a few bugs and crashes and also two security related
> > issues with the authentication procedure.
> 
> 13 changes is too much this late in the -RC series.  Fixes need to
> trickle in, in small quantities, and therefore it's critical that
> maintainers submit fixes often and as soon as they are ready.
> 
> Please pick a small number of the most critical fixes, say 3 or 4.  An
> easy way to roughly quantify which ones shoule be included is:
> 
> 1) Is there an OOPS or crash regression reported by real users and
>    listed in the official lkml regression list which is caused by this
>    problem?
> 
> 2) Is there an exploitable security concern fixed by this change?
> 
> Else, it's only net-next-2.6 material.
> 
> For example:
> 
>     Bluetooth: Remove max_tx and tx_window module paramenters from L2CAP
> 
> Things like that change are absolutely not appropriate at this
> stage in the post merge-window development environment.

I can take these out and leave them for -next. That is fine with me, but
you asked Gustavo to remove these. And so I left them in.

Regards

Marcel