diff options
author | Andre Eisenbach <eisenbach@google.com> | 2015-01-26 13:49:36 -0800 |
---|---|---|
committer | Natalie Silvanovich <natashenka@google.com> | 2015-03-06 15:26:02 -0800 |
commit | 0360aa7c418152a3e5e335a065ac3629cbb09559 (patch) | |
tree | f6d7c3267ef719f986eeb020f91befddbc9ce7cf | |
parent | 3e12cd500a06053da91f5cb69837838ea7455067 (diff) | |
download | bluedroid-0360aa7c418152a3e5e335a065ac3629cbb09559.tar.gz |
Change pairing_cb to assume temporary pairing by default
When pairing takes place, the pairing_cb.is_temp flag indicates whether
a pairing is temporary or permanent. Link keys are not stored for
temporary pairings. Since this is a "positive" flag, resetting the
pairing_cb control block (ex. memset to 0), it will assume persistent
pairing by default. Under certain circumstances, this can lead to a link
key being stored for temporarily secured connection.
This patch reverses the flag to be a "negative" flag. Renamed to
"persistent_bond", the default 0 meaning is now used to indicate a
temporary bond. If the lag is not properly set now, it will default to a
temporary bond and will not save the link key erronously.
This fix is for CVE-2014-7914
Bug: 18345373
Change-Id: I6e821595877ff30d64dc6e33602ac049cab3dd1e
-rw-r--r-- | btif/src/btif_dm.c | 26 |
1 files changed, 15 insertions, 11 deletions
diff --git a/btif/src/btif_dm.c b/btif/src/btif_dm.c index c8e1bac..46eac66 100644 --- a/btif/src/btif_dm.c +++ b/btif/src/btif_dm.c @@ -111,11 +111,15 @@ BOOLEAN blacklistPairingRetries(BD_ADDR bd_addr) #define MAX_SDP_BL_ENTRIES 3 +#define BOND_TYPE_UNKNOWN 0 +#define BOND_TYPE_PERSISTENT 1 +#define BOND_TYPE_TEMPORARY 2 + typedef struct { bt_bond_state_t state; BD_ADDR bd_addr; - UINT8 is_temp; + UINT8 bond_type; UINT8 pin_code_len; UINT8 is_ssp; UINT8 auth_req; @@ -469,7 +473,7 @@ static void bond_state_changed(bt_status_t status, bt_bdaddr_t *bd_addr, bt_bond if ( (pairing_cb.state == state) && (state == BT_BOND_STATE_BONDING) ) return; - if (pairing_cb.is_temp) + if (pairing_cb.bond_type == BOND_TYPE_TEMPORARY) { state = BT_BOND_STATE_NONE; } @@ -897,9 +901,9 @@ static void btif_dm_ssp_cfm_req_evt(tBTA_DM_SP_CFM_REQ *p_ssp_cfm_req) if (p_ssp_cfm_req->just_works && !(p_ssp_cfm_req->loc_auth_req & BTM_AUTH_BONDS) && !(p_ssp_cfm_req->rmt_auth_req & BTM_AUTH_BONDS) && !(check_cod((bt_bdaddr_t*)&p_ssp_cfm_req->bd_addr, COD_HID_POINTING))) - pairing_cb.is_temp = TRUE; + pairing_cb.bond_type = BOND_TYPE_TEMPORARY; else - pairing_cb.is_temp = FALSE; + pairing_cb.bond_type = BOND_TYPE_PERSISTENT; pairing_cb.is_ssp = TRUE; @@ -987,11 +991,11 @@ static void btif_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl) if ( (p_auth_cmpl->success == TRUE) && (p_auth_cmpl->key_present) ) { if ((p_auth_cmpl->key_type < HCI_LKEY_TYPE_DEBUG_COMB) || (p_auth_cmpl->key_type == HCI_LKEY_TYPE_AUTH_COMB) || - (p_auth_cmpl->key_type == HCI_LKEY_TYPE_CHANGED_COMB) || (!pairing_cb.is_temp)) + (p_auth_cmpl->key_type == HCI_LKEY_TYPE_CHANGED_COMB) || pairing_cb.bond_type == BOND_TYPE_PERSISTENT) { bt_status_t ret; - BTIF_TRACE_DEBUG("%s: Storing link key. key_type=0x%x, is_temp=%d", - __FUNCTION__, p_auth_cmpl->key_type, pairing_cb.is_temp); + BTIF_TRACE_DEBUG("%s: Storing link key. key_type=0x%x, bond_type=%d", + __FUNCTION__, p_auth_cmpl->key_type, pairing_cb.bond_type); ret = btif_storage_add_bonded_device(&bd_addr, p_auth_cmpl->key, p_auth_cmpl->key_type, pairing_cb.pin_code_len); @@ -999,9 +1003,9 @@ static void btif_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl) } else { - BTIF_TRACE_DEBUG("%s: Temporary key. Not storing. key_type=0x%x, is_temp=%d", - __FUNCTION__, p_auth_cmpl->key_type, pairing_cb.is_temp); - if(pairing_cb.is_temp) + BTIF_TRACE_DEBUG("%s: Temporary key. Not storing. key_type=0x%x, bond_type=%d", + __FUNCTION__, p_auth_cmpl->key_type, pairing_cb.bond_type); + if(pairing_cb.bond_type == BOND_TYPE_TEMPORARY) { BTIF_TRACE_DEBUG("%s: sending BT_BOND_STATE_NONE for Temp pairing", __FUNCTION__); @@ -2945,7 +2949,7 @@ void btif_dm_ble_sec_req_evt(tBTA_DM_BLE_SEC_REQ *p_ble_req) bond_state_changed(BT_STATUS_SUCCESS, &bd_addr, BT_BOND_STATE_BONDING); - pairing_cb.is_temp = FALSE; + pairing_cb.bond_type = BOND_TYPE_PERSISTENT; pairing_cb.is_le_only = TRUE; pairing_cb.is_ssp = TRUE; |