Fix an authentication bypass bug in SMP (25a3fcd4) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/smp/smp_act.cc

+12 −0

Original line number	Diff line number	Diff line
		@@ -286,6 +286,7 @@ void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
		void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
		SMP_TRACE_DEBUG("%s", __func__);
		smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
		p_cb->flags \|= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;
		}

		/*******************************************************************************
		@@ -647,6 +648,17 @@ void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
		return;
		}

		if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
		(p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
		!(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {
		// in legacy pairing, the peer should send its rand after
		// we send our confirm
		tSMP_INT_DATA smp_int_data{};
		smp_int_data.status = SMP_INVALID_PARAMETERS;
		smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
		return;
		}

		/* save the SRand for comparison */
		STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
		}

+1 −0

Original line number	Diff line number	Diff line
		@@ -213,6 +213,7 @@ typedef union {
		(1 << 7) /* used to resolve race condition */
		#define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY \
		(1 << 8) /* used on peripheral to resolve race condition */
		#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT (1 << 9)

		/* check if authentication requirement need MITM protection */
		#define SMP_NO_MITM_REQUIRED(x) (((x)&SMP_AUTH_YN_BIT) == 0)