From 1c6c6998bcc43896884e9e542ba0b52840d0407c Mon Sep 17 00:00:00 2001 From: Chinmay Chhajed Date: Thu, 4 Feb 2021 00:41:13 +0530 Subject: [PATCH 1/3] bt: removed esp_bt_get_mac() There was no need for this function as there is already a way present to fetch own mac address. Own mac addr can be fetched by calling controller_get_interface(). --- components/bt/controller/bt.c | 9 --------- components/bt/host/bluedroid/stack/btm/btm_sec.c | 5 ++--- 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/components/bt/controller/bt.c b/components/bt/controller/bt.c index fd221dd817..c50629091f 100644 --- a/components/bt/controller/bt.c +++ b/components/bt/controller/bt.c @@ -404,8 +404,6 @@ SOC_RESERVE_MEMORY_REGION(SOC_MEM_BT_DATA_START, SOC_MEM_BT_DATA_END, static DRAM_ATTR struct osi_funcs_t *osi_funcs_p; -static uint8_t own_bda[6]; - #if CONFIG_SPIRAM_USE_MALLOC static DRAM_ATTR btdm_queue_item_t btdm_queue_table[BTDM_MAX_QUEUE_NUM]; static DRAM_ATTR SemaphoreHandle_t btdm_queue_table_mux = NULL; @@ -1358,7 +1356,6 @@ esp_err_t esp_bt_controller_init(esp_bt_controller_config_t *cfg) cfg->bt_max_sync_conn = CONFIG_BTDM_CTRL_BR_EDR_MAX_SYNC_CONN_EFF; cfg->magic = ESP_BT_CONTROLLER_CONFIG_MAGIC_VAL; - read_mac_wrapper(own_bda); if (((cfg->mode & ESP_BT_MODE_BLE) && (cfg->ble_max_conn <= 0 || cfg->ble_max_conn > BTDM_CONTROLLER_BLE_MAX_CONN_LIMIT)) || ((cfg->mode & ESP_BT_MODE_CLASSIC_BT) && (cfg->bt_max_acl_conn <= 0 || cfg->bt_max_acl_conn > BTDM_CONTROLLER_BR_EDR_MAX_ACL_CONN_LIMIT)) || ((cfg->mode & ESP_BT_MODE_CLASSIC_BT) && (cfg->bt_max_sync_conn > BTDM_CONTROLLER_BR_EDR_MAX_SYNC_CONN_LIMIT))) { @@ -1647,12 +1644,6 @@ esp_bt_controller_status_t esp_bt_controller_get_status(void) return btdm_controller_status; } -uint8_t* esp_bt_get_mac(void) -{ - return own_bda; -} - - /* extra functions */ esp_err_t esp_ble_tx_power_set(esp_ble_power_type_t power_type, esp_power_level_t power_level) { diff --git a/components/bt/host/bluedroid/stack/btm/btm_sec.c b/components/bt/host/bluedroid/stack/btm/btm_sec.c index ea431db9f9..617fd9d81c 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_sec.c +++ b/components/bt/host/bluedroid/stack/btm/btm_sec.c @@ -36,7 +36,6 @@ #include "osi/fixed_queue.h" #include "osi/alarm.h" #include "stack/btm_ble_api.h" -#include "esp_bt.h" #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE) /* needed for sprintf() */ @@ -2634,8 +2633,8 @@ void btm_sec_conn_req (UINT8 *bda, UINT8 *dc) /* Check if peer device's and our BD_ADDR is same or not. It should be different to avoid 'Impersonation in the Pin Pairing Protocol' (CVE-2020-26555) vulnerability. */ - if (memcmp(bda, esp_bt_get_mac(), sizeof (BD_ADDR)) == 0) { - BTM_TRACE_ERROR ("Security Manager: connect request from device with same BD_ADDR\n"); + if (memcmp((uint8_t *)bda, (uint8_t *)&controller_get_interface()->get_address()->address, sizeof (BD_ADDR)) == 0) { + BTM_TRACE_ERROR ("Security Manager: connect request from device with same BD_ADDR"); btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); return; } From 428e9b008c6d580397f3d5e8ed475e63858f28d4 Mon Sep 17 00:00:00 2001 From: Chinmay Chhajed Date: Wed, 3 Feb 2021 18:55:17 +0530 Subject: [PATCH 2/3] Bluedroid: Do not initiate/accept connection with device having same BDADDR. Added BD_ADDR comparison in l2cu_lcp_allocate and removed check from security connection request handler as it's handled in l2cu_lcp_allocate for both connection request and create connection. --- components/bt/host/bluedroid/stack/btm/btm_sec.c | 9 --------- components/bt/host/bluedroid/stack/l2cap/l2c_utils.c | 10 ++++++++++ 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/components/bt/host/bluedroid/stack/btm/btm_sec.c b/components/bt/host/bluedroid/stack/btm/btm_sec.c index 617fd9d81c..2eaed8306d 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_sec.c +++ b/components/bt/host/bluedroid/stack/btm/btm_sec.c @@ -2630,15 +2630,6 @@ void btm_sec_conn_req (UINT8 *bda, UINT8 *dc) return; } - /* Check if peer device's and our BD_ADDR is same or not. It - should be different to avoid 'Impersonation in the Pin Pairing - Protocol' (CVE-2020-26555) vulnerability. */ - if (memcmp((uint8_t *)bda, (uint8_t *)&controller_get_interface()->get_address()->address, sizeof (BD_ADDR)) == 0) { - BTM_TRACE_ERROR ("Security Manager: connect request from device with same BD_ADDR"); - btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); - return; - } - /* Security guys wants us not to allow connection from not paired devices */ /* Check if connection is allowed for only paired devices */ diff --git a/components/bt/host/bluedroid/stack/l2cap/l2c_utils.c b/components/bt/host/bluedroid/stack/l2cap/l2c_utils.c index dcf3317c7d..1af893354c 100644 --- a/components/bt/host/bluedroid/stack/l2cap/l2c_utils.c +++ b/components/bt/host/bluedroid/stack/l2cap/l2c_utils.c @@ -52,6 +52,16 @@ tL2C_LCB *l2cu_allocate_lcb (BD_ADDR p_bd_addr, BOOLEAN is_bonding, tBT_TRANSPOR int xx; tL2C_LCB *p_lcb = &l2cb.lcb_pool[0]; +#if (CLASSIC_BT_INCLUDED == TRUE) + /* Check if peer device's and our BD_ADDR is same or not. It + should be different to avoid 'Impersonation in the Pin Pairing + Protocol' (CVE-2020-26555) vulnerability. */ + if (memcmp((uint8_t *)p_bd_addr, (uint8_t *)&controller_get_interface()->get_address()->address, sizeof (BD_ADDR)) == 0) { + L2CAP_TRACE_ERROR ("%s connection rejected due to same BD ADDR", __func__); + return (NULL); + } +#endif + for (xx = 0; xx < MAX_L2CAP_LINKS; xx++, p_lcb++) { if (!p_lcb->in_use) { btu_free_timer(&p_lcb->timer_entry); From a585bb54e4542573c271be63482639c2d222e71a Mon Sep 17 00:00:00 2001 From: Chinmay Chhajed Date: Wed, 10 Feb 2021 17:52:35 +0530 Subject: [PATCH 3/3] bt: NULL combkey check and fixed divide by zero error. - Added check for NULL valued combination key. (cbc69c8b9) - Fix divided by zero err & clear timer after remote reject when respond the parameters update (d886f91) --- components/bt/controller/lib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/bt/controller/lib b/components/bt/controller/lib index 73fa0bcb51..0a7edb5acf 160000 --- a/components/bt/controller/lib +++ b/components/bt/controller/lib @@ -1 +1 @@ -Subproject commit 73fa0bcb5132f4ea3eebde88f0599920664a8257 +Subproject commit 0a7edb5acf88414778fa56708a29958d527f5f2c