Change pairing_cb to assume temporary pairing by default

When pairing takes place, the pairing_cb.is_temp flag indicates whether a pairing is temporary or permanent. Link keys are not stored for temporary pairings. Since this is a "positive" flag, resetting the pairing_cb control block (ex. memset to 0), it will assume persistent pairing by default. Under certain circumstances, this can lead to a link key being stored for temporarily secured connection. This patch reverses the flag to be a "negative" flag. Renamed to "persistent_bond", the default 0 meaning is now used to indicate a temporary bond. If the lag is not properly set now, it will default to a temporary bond and will not save the link key erronously. This fix is for CVE-2014-7914 Bug: 18345373 Change-Id: I6e821595877ff30d64dc6e33602ac049cab3dd1e
author: Andre Eisenbach <eisenbach@google.com> 2015-01-26 13:49:36 -0800
committer: Natalie Silvanovich <natashenka@google.com> 2015-03-06 15:26:02 -0800
commit: 0360aa7c418152a3e5e335a065ac3629cbb09559 (patch)
tree: f6d7c3267ef719f986eeb020f91befddbc9ce7cf
parent: 3e12cd500a06053da91f5cb69837838ea7455067 (diff)
download: bluedroid-0360aa7c418152a3e5e335a065ac3629cbb09559.tar.gz
1 files changed, 15 insertions, 11 deletions
diff --git a/btif/src/btif_dm.c b/btif/src/btif_dm.c
index c8e1bac..46eac66 100644
--- a/btif/src/btif_dm.c
+++ b/btif/src/btif_dm.c
@@ -111,11 +111,15 @@ BOOLEAN blacklistPairingRetries(BD_ADDR bd_addr)
 
 #define MAX_SDP_BL_ENTRIES 3
 
+#define BOND_TYPE_UNKNOWN     0
+#define BOND_TYPE_PERSISTENT  1
+#define BOND_TYPE_TEMPORARY   2
+
 typedef struct
 {
     bt_bond_state_t state;
     BD_ADDR bd_addr;
-    UINT8   is_temp;
+    UINT8   bond_type;
     UINT8   pin_code_len;
     UINT8   is_ssp;
     UINT8   auth_req;
@@ -469,7 +473,7 @@ static void bond_state_changed(bt_status_t status, bt_bdaddr_t *bd_addr, bt_bond
     if ( (pairing_cb.state == state) && (state == BT_BOND_STATE_BONDING) )
         return;
 
-    if (pairing_cb.is_temp)
+    if (pairing_cb.bond_type == BOND_TYPE_TEMPORARY)
     {
        state = BT_BOND_STATE_NONE;
     }
@@ -897,9 +901,9 @@ static void btif_dm_ssp_cfm_req_evt(tBTA_DM_SP_CFM_REQ *p_ssp_cfm_req)
     if (p_ssp_cfm_req->just_works && !(p_ssp_cfm_req->loc_auth_req & BTM_AUTH_BONDS) &&
         !(p_ssp_cfm_req->rmt_auth_req & BTM_AUTH_BONDS) &&
         !(check_cod((bt_bdaddr_t*)&p_ssp_cfm_req->bd_addr, COD_HID_POINTING)))
-        pairing_cb.is_temp = TRUE;
+        pairing_cb.bond_type = BOND_TYPE_TEMPORARY;
     else
-        pairing_cb.is_temp = FALSE;
+        pairing_cb.bond_type = BOND_TYPE_PERSISTENT;
 
     pairing_cb.is_ssp = TRUE;
 
@@ -987,11 +991,11 @@ static void btif_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
     if ( (p_auth_cmpl->success == TRUE) && (p_auth_cmpl->key_present) )
     {
         if ((p_auth_cmpl->key_type < HCI_LKEY_TYPE_DEBUG_COMB)  || (p_auth_cmpl->key_type == HCI_LKEY_TYPE_AUTH_COMB) ||
-            (p_auth_cmpl->key_type == HCI_LKEY_TYPE_CHANGED_COMB) || (!pairing_cb.is_temp))
+            (p_auth_cmpl->key_type == HCI_LKEY_TYPE_CHANGED_COMB) || pairing_cb.bond_type == BOND_TYPE_PERSISTENT)
         {
             bt_status_t ret;
-            BTIF_TRACE_DEBUG("%s: Storing link key. key_type=0x%x, is_temp=%d",
-                __FUNCTION__, p_auth_cmpl->key_type, pairing_cb.is_temp);
+            BTIF_TRACE_DEBUG("%s: Storing link key. key_type=0x%x, bond_type=%d",
+                __FUNCTION__, p_auth_cmpl->key_type, pairing_cb.bond_type);
             ret = btif_storage_add_bonded_device(&bd_addr,
                                 p_auth_cmpl->key, p_auth_cmpl->key_type,
                                 pairing_cb.pin_code_len);
@@ -999,9 +1003,9 @@ static void btif_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
         }
         else
         {
-            BTIF_TRACE_DEBUG("%s: Temporary key. Not storing. key_type=0x%x, is_temp=%d",
-                __FUNCTION__, p_auth_cmpl->key_type, pairing_cb.is_temp);
-            if(pairing_cb.is_temp)
+            BTIF_TRACE_DEBUG("%s: Temporary key. Not storing. key_type=0x%x, bond_type=%d",
+                __FUNCTION__, p_auth_cmpl->key_type, pairing_cb.bond_type);
+            if(pairing_cb.bond_type == BOND_TYPE_TEMPORARY)
             {
                 BTIF_TRACE_DEBUG("%s: sending BT_BOND_STATE_NONE for Temp pairing",
                         __FUNCTION__);
@@ -2945,7 +2949,7 @@ void btif_dm_ble_sec_req_evt(tBTA_DM_BLE_SEC_REQ *p_ble_req)
 
     bond_state_changed(BT_STATUS_SUCCESS, &bd_addr, BT_BOND_STATE_BONDING);
 
-    pairing_cb.is_temp = FALSE;
+    pairing_cb.bond_type = BOND_TYPE_PERSISTENT;
     pairing_cb.is_le_only = TRUE;
     pairing_cb.is_ssp = TRUE;
author	Andre Eisenbach <eisenbach@google.com>	2015-01-26 13:49:36 -0800
committer	Natalie Silvanovich <natashenka@google.com>	2015-03-06 15:26:02 -0800
commit	0360aa7c418152a3e5e335a065ac3629cbb09559 (patch)
tree	f6d7c3267ef719f986eeb020f91befddbc9ce7cf
parent	3e12cd500a06053da91f5cb69837838ea7455067 (diff)
download	bluedroid-0360aa7c418152a3e5e335a065ac3629cbb09559.tar.gz