Commit 7beac6cb authored Oct 14, 2024 by Brian Delwiche

Resolve incomplete fix for SMP authentication bypass

Fix for b/25992313 was landed correctly on main, but in older branches
SMP contains identical functions smp_proc_init and smp_proc_rand, both
of which exhibit the problem, and only the former of which was patched.
This allows the problem to still appear on branches from sc-dev to
udc-dev.

Add the logic to smp_proc_rand.

Bug: 251514170
Test: m com.android.btservices
Tag: #security
Ignore-AOSP-First: security
Merged-In: Id36c06beb13bcbc9b499ef59f6d4e43ac616da10
Change-Id: I51e99c18a322a29632a6cac09ddb2b07bea482fc

parent 2fc3087b

system/stack/smp/smp_act.cc

+11 −0

Original line number	Diff line number	Diff line
		@@ -686,6 +686,17 @@ void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
		return;
		}

		if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
		(p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
		!(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {
		// in legacy pairing, the peer should send its rand after
		// we send our confirm
		tSMP_INT_DATA smp_int_data{};
		smp_int_data.status = SMP_INVALID_PARAMETERS;
		smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
		return;
		}

		/* save the SRand for comparison */
		STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
		}