Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e4d902d8 authored Mar 14, 2022 by David Duarte

security: Initialise connection handle to an invalid handle

The value 0 being in the 0x0000 to 0x0EFF range
is a valid Bluetooth connection handle.
Instead we initialise the connection handle with an invalid
value of 0xFFFF.

This bug was triggered by RootCanal as it gives for it's
third connection a 0 connection handle.

Test: gd/cert/run SecurityTest
Change-Id: I16e1c17d9db0cb2c2b8f6099d3d669d0793e41b4

parent 983005bb

system/gd/security/internal/security_manager_impl.cc

+1 −1

Original line number	Diff line number	Diff line
		@@ -734,7 +734,7 @@ void SecurityManagerImpl::OnPairingFinished(security::PairingResultOrFailure pai

		void SecurityManagerImpl::WipeLePairingHandler() {
		pending_le_pairing_.handler_.reset();
		pending_le_pairing_.connection_handle_ = 0;
		pending_le_pairing_.connection_handle_ = kInvalidConnectionHandle;
		pending_le_pairing_.address_ = hci::AddressWithType();
		}

system/gd/security/internal/security_manager_impl.h

+3 −1

Original line number	Diff line number	Diff line
		@@ -46,6 +46,8 @@ static constexpr hci::AuthenticationRequirements kDefaultAuthenticationRequireme

		namespace internal {

		static constexpr uint16_t kInvalidConnectionHandle = 0xFFFF;

		struct LeFixedChannelEntry {
		std::unique_ptr<l2cap::le::FixedChannel> channel_;
		std::unique_ptr<os::EnqueueBuffer<packet::BasePacketBuilder>> enqueue_buffer_;
		@@ -278,7 +280,7 @@ class SecurityManagerImpl : public channel::ISecurityManagerChannelListener, pub

		struct {
		hci::AddressWithType address_;
		uint16_t connection_handle_;
		uint16_t connection_handle_{kInvalidConnectionHandle};
		std::unique_ptr<PairingHandlerLe> handler_;
		} pending_le_pairing_;