Bluetooth: SMP: If an unallowed command is received consider it a failure

If a command is received while a bonding is ongoing consider it a
pairing failure so the session is cleanup properly and the device is
disconnected immediately instead of continuing with other commands that
may result in the session to get stuck without ever completing such as
the case bellow:

> ACL Data RX: Handle 2048 flags 0x02 dlen 21
      SMP: Identity Information (0x08) len 16
        Identity resolving key[16]: d7e08edef97d3e62cd2331f82d8073b0
> ACL Data RX: Handle 2048 flags 0x02 dlen 21
      SMP: Signing Information (0x0a) len 16
        Signature key[16]: 1716c536f94e843a9aea8b13ffde477d
Bluetooth: hci0: unexpected SMP command 0x0a from XX:XX:XX:XX:XX:XX
> ACL Data RX: Handle 2048 flags 0x02 dlen 12
      SMP: Identity Address Information (0x09) len 7
        Address: XX:XX:XX:XX:XX:XX (Intel Corporate)

While accourding to core spec 6.1 the expected order is always BD_ADDR
first first then CSRK:

When using LE legacy pairing, the keys shall be distributed in the
following order:

    LTK by the Peripheral

    EDIV and Rand by the Peripheral

    IRK by the Peripheral

    BD_ADDR by the Peripheral

    CSRK by the Peripheral

    LTK by the Central

    EDIV and Rand by the Central

    IRK by the Central

    BD_ADDR by the Central

    CSRK by the Central

When using LE Secure Connections, the keys shall be distributed in the
following order:

    IRK by the Peripheral

    BD_ADDR by the Peripheral

    CSRK by the Peripheral

    IRK by the Central

    BD_ADDR by the Central

    CSRK by the Central

According to the Core 6.1 for commands used for key distribution "Key
Rejected" can be used:

  '3.6.1. Key distribution and generation

  A device may reject a distributed key by sending the Pairing Failed command
  with the reason set to "Key Rejected".

Fixes: b28b4943660f ("Bluetooth: Add strict checks for allowed SMP PDUs")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 47f359f24d1fde2e3d4e44010427f91c030b2253..a3a4ffee25c80df72c6876928fa756384354906e 100644 (file)
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2977,8 +2977,25 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
        if (code > SMP_CMD_MAX)
                goto drop;
 
-       if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
+       if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) {
+               /* If there is a context and the command is not allowed consider
+                * it a failure so the session is cleanup properly.
+                */
+               switch (code) {
+               case SMP_CMD_IDENT_INFO:
+               case SMP_CMD_IDENT_ADDR_INFO:
+               case SMP_CMD_SIGN_INFO:
+                       /* 3.6.1. Key distribution and generation
+                        *
+                        * A device may reject a distributed key by sending the
+                        * Pairing Failed command with the reason set to
+                        * "Key Rejected".
+                        */
+                       smp_failure(conn, SMP_KEY_REJECTED);
+                       break;
+               }
                goto drop;
+       }
 
        /* If we don't have a context the only allowed commands are
         * pairing request and security request.

diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index 87a59ec2c9f02bca8ea6bc1e2c2e37b45048799e..c5da53dfab04f2339f854c7797e79337ae23bd5f 100644 (file)
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -138,6 +138,7 @@ struct smp_cmd_keypress_notify {
 #define SMP_NUMERIC_COMP_FAILED                0x0c
 #define SMP_BREDR_PAIRING_IN_PROGRESS  0x0d
 #define SMP_CROSS_TRANSP_NOT_ALLOWED   0x0e
+#define SMP_KEY_REJECTED               0x0f
 
 #define SMP_MIN_ENC_KEY_SIZE           7
 #define SMP_MAX_ENC_KEY_SIZE           16