Maksytka/linux
1
1
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2025-11-30 23:16:01 +07:00
Code Issues Packages Projects Releases Wiki Activity

Bluetooth: SMP: Fix not generating mackey and ltk when repairing

Browse Source 
The change eed467b517 ("Bluetooth: fix passkey uninitialized when used")
introduced a goto that bypasses the creation of temporary mackey and ltk
which are later used by the likes of DHKey Check step.

Later ffee202a78 ("Bluetooth: Always request for user confirmation for
Just Works (LE SC)") which means confirm_hint is always set in case
JUST_WORKS so the branch checking for an existing LTK becomes pointless
as confirm_hint will always be set, so this just merge both cases of
malicious or legitimate devices to be confirmed before continuing with the
pairing procedure.

Link: https://github.com/bluez/bluez/issues/1622
Fixes: eed467b517 ("Bluetooth: fix passkey uninitialized when used")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This commit is contained in:
Luiz Augusto von Dentz
2025-11-17 13:45:13 -05:00
parent c884a0b27b
commit 545d7827b2
1 changed files with 7 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
net/bluetooth/smp.c
View File

@@ -2136,7 +2136,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
struct smp_chan *smp = chan->data;
struct hci_conn *hcon = conn->hcon;
u8 *pkax, *pkbx, *na, *nb, confirm_hint;
u32 passkey;
u32 passkey = 0;
int err;
bt_dev_dbg(hcon->hdev, "conn %p", conn);
@@ -2188,24 +2188,6 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
smp->prnd);
SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
/* Only Just-Works pairing requires extra checks */
if (smp->method != JUST_WORKS)
goto mackey_and_ltk;
/* If there already exists long term key in local host, leave
* the decision to user space since the remote device could
* be legitimate or malicious.
*/
if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
hcon->role)) {
/* Set passkey to 0. The value can be any number since
* it'll be ignored anyway.
*/
passkey = 0;
confirm_hint = 1;
goto confirm;
}
}
mackey_and_ltk:
@@ -2226,11 +2208,12 @@ mackey_and_ltk:
if (err)
return SMP_UNSPECIFIED;
confirm_hint = 0;
confirm:
if (smp->method == JUST_WORKS)
confirm_hint = 1;
/* Always require user confirmation for Just-Works pairing to prevent
* impersonation attacks, or in case of a legitimate device that is
* repairing use the confirmation as acknowledgment to proceed with the
* creation of new keys.
*/
confirm_hint = smp->method == JUST_WORKS ? 1 : 0;
err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
hcon->dst_type, passkey, confirm_hint);