linux-hardened/net/bluetooth
Johan Hedberg b28b494366 Bluetooth: Add strict checks for allowed SMP PDUs
SMP defines quite clearly when certain PDUs are to be expected/allowed
and when not, but doesn't have any explicit request/response definition.
So far the code has relied on each PDU handler to behave correctly if
receiving PDUs at an unexpected moment, however this requires many
different checks and is prone to errors.

This patch introduces a generic way to keep track of allowed PDUs and
thereby reduces the responsibility & load on individual command
handlers. The tracking is implemented using a simple bit-mask where each
opcode maps to its own bit. If the bit is set the corresponding PDU is
allow and if the bit is not set the PDU is not allowed.

As a simple example, when we send the Pairing Request we'd set the bit
for Pairing Response, and when we receive the Pairing Response we'd
clear the bit for Pairing Response.

Since the disallowed PDU rejection is now done in a single central place
we need to be a bit careful of which action makes most sense to all
cases. Previously some, such as Security Request, have been simply
ignored whereas others have caused an explicit disconnect.

The only PDU rejection action that keeps good interoperability and can
be used for all the applicable use cases is to drop the data. This may
raise some concerns of us now being more lenient for misbehaving (and
potentially malicious) devices, but the policy of simply dropping data
has been a successful one for many years e.g. in L2CAP (where this is
the *only* policy for such cases - we never request disconnection in
l2cap_core.c because of bad data). Furthermore, we cannot prevent
connected devices from creating the SMP context (through a Security or
Pairing Request), and once the context exists looking up the
corresponding bit for the received opcode and deciding to reject it is
essentially an equally lightweight operation as the kind of rejection
that l2cap_core.c already successfully does.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2014-09-08 19:07:56 +02:00
..
bnep net: set name_assign_type in alloc_netdev() 2014-07-15 16:12:48 -07:00
cmtp Bluetooth: cmtp: Remove unnecessary null test 2014-07-14 23:00:13 +02:00
hidp Bluetooth: Improve *_get() functions to return the object type 2014-09-08 19:07:52 +02:00
rfcomm Bluetooth: Avoid use of session socket after the session gets freed 2014-07-22 16:07:31 +02:00
6lowpan.c Bluetooth: Fix confusion between parent and child channel for 6lowpan 2014-08-14 08:49:11 +02:00
a2mp.c Bluetooth: Provide L2CAP ops callback for memcpy_fromiovec 2014-07-03 17:42:43 +02:00
a2mp.h Bluetooth: Move a2mp.h header file into net/bluetooth/ 2013-10-11 00:10:05 +02:00
af_bluetooth.c Bluetooth: constify seq_operations 2014-07-03 17:42:52 +02:00
amp.c Bluetooth: Remove unneeded variable assignment in hmac_sha256 2014-07-20 19:53:11 +03:00
amp.h Bluetooth: Move amp.h header file into net/bluetooth/ 2013-10-11 00:10:03 +02:00
hci_conn.c Bluetooth: Move clock offset reading into hci_disconnect() 2014-09-08 19:07:55 +02:00
hci_core.c Bluetooth: Refactor connection parameter freeing into its own function 2014-09-08 19:07:53 +02:00
hci_event.c Bluetooth: Fix using hci_conn_get() for hci_conn pointers 2014-09-08 19:07:53 +02:00
hci_sock.c Bluetooth: Move struct hci_pinfo into net/bluetooth/hci_sock.c 2014-07-11 13:55:14 +03:00
hci_sysfs.c Bluetooth: Convert to use ATTRIBUTE_GROUPS macro 2014-02-13 09:51:34 +02:00
Kconfig 6lowpan: introduce new net/6lowpan directory 2014-07-12 01:53:30 +02:00
l2cap_core.c Bluetooth: Move identity address update behind a workqueue 2014-09-08 19:07:55 +02:00
l2cap_sock.c Bluetooth: Fix hci_conn reference counting for fixed channels 2014-09-08 19:07:52 +02:00
lib.c Bluetooth: Add error mapping for Directed Advertising Timeout 2014-03-26 09:31:36 -07:00
Makefile Bluetooth: 6LoWPAN: Create a kernel module 2014-07-03 17:42:44 +02:00
mgmt.c Bluetooth: Use hci_disconnect() for mgmt_disconnect_device() 2014-09-08 19:07:55 +02:00
sco.c Bluetooth: never linger on process exit 2014-07-17 12:13:06 +02:00
smp.c Bluetooth: Add strict checks for allowed SMP PDUs 2014-09-08 19:07:56 +02:00
smp.h Bluetooth: Add strict checks for allowed SMP PDUs 2014-09-08 19:07:56 +02:00