From 6a4e69f442a2e3cfd5e016d016ed42b4b420b1f9 Mon Sep 17 00:00:00 2001
From: Chinmay Chhajed <chinmay.chhajed@espressif.com>
Date: Thu, 4 Feb 2021 00:41:13 +0530
Subject: [PATCH 1/3] bt: removed esp_bt_get_mac()

There was no need for this function as there is already a way present to
fetch own mac address. Own mac addr can be fetched by calling
controller_get_interface().
---
 components/bt/bluedroid/stack/btm/btm_sec.c | 5 ++---
 components/bt/bt.c                          | 9 ---------
 components/bt/include/esp_bt.h              | 6 ------
 3 files changed, 2 insertions(+), 18 deletions(-)

diff --git a/components/bt/bluedroid/stack/btm/btm_sec.c b/components/bt/bluedroid/stack/btm/btm_sec.c
index d58d5261b4..c0bfe51357 100644
--- a/components/bt/bluedroid/stack/btm/btm_sec.c
+++ b/components/bt/bluedroid/stack/btm/btm_sec.c
@@ -35,7 +35,6 @@
 #include "l2c_int.h"
 #include "osi/fixed_queue.h"
 #include "osi/alarm.h"
-#include "esp_bt.h"
 
 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE)
 /* needed for sprintf() */
@@ -2620,8 +2619,8 @@ void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
     /* Check if peer device's and our BD_ADDR is same or not. It
        should be different to avoid 'Impersonation in the Pin Pairing
        Protocol' (CVE-2020-26555) vulnerability. */
-    if (memcmp(bda, esp_bt_get_mac(), sizeof (BD_ADDR)) == 0) {
-        BTM_TRACE_ERROR ("Security Manager: connect request from device with same BD_ADDR\n");
+    if (memcmp((uint8_t *)bda, (uint8_t *)&controller_get_interface()->get_address()->address, sizeof (BD_ADDR)) == 0) {
+        BTM_TRACE_ERROR ("Security Manager: connect request from device with same BD_ADDR");
         btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
         return;
     }
diff --git a/components/bt/bt.c b/components/bt/bt.c
index 40db4647d7..b7b589373b 100644
--- a/components/bt/bt.c
+++ b/components/bt/bt.c
@@ -401,8 +401,6 @@ SOC_RESERVE_MEMORY_REGION(SOC_MEM_BT_DATA_START, SOC_MEM_BT_DATA_END,
 
 static DRAM_ATTR struct osi_funcs_t *osi_funcs_p;
 
-static uint8_t own_bda[6];
-
 #if CONFIG_SPIRAM_USE_MALLOC
 static DRAM_ATTR btdm_queue_item_t btdm_queue_table[BTDM_MAX_QUEUE_NUM];
 static DRAM_ATTR SemaphoreHandle_t btdm_queue_table_mux = NULL;
@@ -1344,8 +1342,6 @@ esp_err_t esp_bt_controller_init(esp_bt_controller_config_t *cfg)
     //overwrite some parameters
     cfg->bt_max_sync_conn = CONFIG_BTDM_CONTROLLER_BR_EDR_MAX_SYNC_CONN_EFF;
     cfg->magic  = ESP_BT_CONTROLLER_CONFIG_MAGIC_VAL;
-
-    read_mac_wrapper(own_bda);
     if (((cfg->mode & ESP_BT_MODE_BLE) && (cfg->ble_max_conn <= 0 || cfg->ble_max_conn > BTDM_CONTROLLER_BLE_MAX_CONN_LIMIT))
             || ((cfg->mode & ESP_BT_MODE_CLASSIC_BT) && (cfg->bt_max_acl_conn <= 0 || cfg->bt_max_acl_conn > BTDM_CONTROLLER_BR_EDR_MAX_ACL_CONN_LIMIT))
             || ((cfg->mode & ESP_BT_MODE_CLASSIC_BT) && (cfg->bt_max_sync_conn > BTDM_CONTROLLER_BR_EDR_MAX_SYNC_CONN_LIMIT))) {
@@ -1614,11 +1610,6 @@ esp_bt_controller_status_t esp_bt_controller_get_status(void)
     return btdm_controller_status;
 }
 
-uint8_t* esp_bt_get_mac(void)
-{
-    return own_bda;
-}
-
 
 /* extra functions */
 esp_err_t esp_ble_tx_power_set(esp_ble_power_type_t power_type, esp_power_level_t power_level)
diff --git a/components/bt/include/esp_bt.h b/components/bt/include/esp_bt.h
index c2c5811d1e..f9d79487ba 100644
--- a/components/bt/include/esp_bt.h
+++ b/components/bt/include/esp_bt.h
@@ -331,12 +331,6 @@ esp_err_t esp_bt_controller_disable(void);
  */
 esp_bt_controller_status_t esp_bt_controller_get_status(void);
 
-/**
- * @brief  Get BT MAC address.
- * @return Array pointer of length 6 storing MAC address value.
- */
-uint8_t* esp_bt_get_mac(void);
-
 /** @brief esp_vhci_host_callback
  *  used for vhci call host function to notify what host need to do
  */

From 4936e8f86cc428414b7f0e22f2cf4e8ca7e32d75 Mon Sep 17 00:00:00 2001
From: Chinmay Chhajed <chinmay.chhajed@espressif.com>
Date: Wed, 3 Feb 2021 18:55:17 +0530
Subject: [PATCH 2/3] Bluedroid: Do not initiate/accept connection with device
 having same BDADDR.

Added BD_ADDR comparison in l2cu_lcp_allocate and removed check from
security connection request handler as it's handled in l2cu_lcp_allocate
for both connection request and create connection.
---
 components/bt/bluedroid/stack/btm/btm_sec.c     |  9 ---------
 components/bt/bluedroid/stack/l2cap/l2c_utils.c | 10 ++++++++++
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/components/bt/bluedroid/stack/btm/btm_sec.c b/components/bt/bluedroid/stack/btm/btm_sec.c
index c0bfe51357..fad74e1e10 100644
--- a/components/bt/bluedroid/stack/btm/btm_sec.c
+++ b/components/bt/bluedroid/stack/btm/btm_sec.c
@@ -2616,15 +2616,6 @@ void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
         return;
     }
 
-    /* Check if peer device's and our BD_ADDR is same or not. It
-       should be different to avoid 'Impersonation in the Pin Pairing
-       Protocol' (CVE-2020-26555) vulnerability. */
-    if (memcmp((uint8_t *)bda, (uint8_t *)&controller_get_interface()->get_address()->address, sizeof (BD_ADDR)) == 0) {
-        BTM_TRACE_ERROR ("Security Manager: connect request from device with same BD_ADDR");
-        btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
-        return;
-    }
-
     /* Security guys wants us not to allow connection from not paired devices */
 
     /* Check if connection is allowed for only paired devices */
diff --git a/components/bt/bluedroid/stack/l2cap/l2c_utils.c b/components/bt/bluedroid/stack/l2cap/l2c_utils.c
index 4279a9961c..6349638063 100644
--- a/components/bt/bluedroid/stack/l2cap/l2c_utils.c
+++ b/components/bt/bluedroid/stack/l2cap/l2c_utils.c
@@ -52,6 +52,16 @@ tL2C_LCB *l2cu_allocate_lcb (BD_ADDR p_bd_addr, BOOLEAN is_bonding, tBT_TRANSPOR
     int         xx;
     tL2C_LCB    *p_lcb = &l2cb.lcb_pool[0];
 
+#if (CLASSIC_BT_INCLUDED == TRUE)
+            /* Check if peer device's and our BD_ADDR is same or not. It
+               should be different to avoid 'Impersonation in the Pin Pairing
+               Protocol' (CVE-2020-26555) vulnerability. */
+            if (memcmp((uint8_t *)p_bd_addr, (uint8_t *)&controller_get_interface()->get_address()->address, sizeof (BD_ADDR)) == 0) {
+                L2CAP_TRACE_ERROR ("%s connection rejected due to same BD ADDR", __func__);
+                return (NULL);
+            }
+#endif
+
     for (xx = 0; xx < MAX_L2CAP_LINKS; xx++, p_lcb++) {
         if (!p_lcb->in_use) {
             btu_free_timer(&p_lcb->timer_entry);

From dcaaddae37985c1445b1c45fb30834754d5f1940 Mon Sep 17 00:00:00 2001
From: Chinmay Chhajed <chinmay.chhajed@espressif.com>
Date: Wed, 10 Feb 2021 17:19:20 +0530
Subject: [PATCH 3/3] component/bt: Added check for NULL valued combination
 key.

---
 components/bt/lib | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/components/bt/lib b/components/bt/lib
index 177397a063..9e270219e6 160000
--- a/components/bt/lib
+++ b/components/bt/lib
@@ -1 +1 @@
-Subproject commit 177397a0632761f4bf90236341d431a4bfadf86f
+Subproject commit 9e270219e6f48c7c05779eab87871b381cefa12a