aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohan Hedberg <johan.hedberg@nokia.com>2011-01-19 01:36:52 -0500
committerGustavo F. Padovan <padovan@profusion.mobi>2011-01-19 11:43:11 -0500
commit765c2a964b49bd06b61a52991519281c85d82b67 (patch)
treee646cb50bd43f9a74583391805529d3397934f42
parentd00ef24fc2923b65fdd440dc6445903e965841ac (diff)
Bluetooth: Fix race condition with conn->sec_level
The conn->sec_level value is supposed to represent the current level of security that the connection has. However, by assigning to it before requesting authentication it will have the wrong value during the authentication procedure. To fix this a pending_sec_level variable is added which is used to track the desired security level while making sure that sec_level always represents the current level of security. Signed-off-by: Johan Hedberg <johan.hedberg@nokia.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
-rw-r--r--include/net/bluetooth/hci_core.h1
-rw-r--r--net/bluetooth/hci_conn.c8
-rw-r--r--net/bluetooth/hci_event.c9
3 files changed, 12 insertions, 6 deletions
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index a29feb01854e..d2cf88407690 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -184,6 +184,7 @@ struct hci_conn {
184 __u32 link_mode; 184 __u32 link_mode;
185 __u8 auth_type; 185 __u8 auth_type;
186 __u8 sec_level; 186 __u8 sec_level;
187 __u8 pending_sec_level;
187 __u8 power_save; 188 __u8 power_save;
188 __u16 disc_timeout; 189 __u16 disc_timeout;
189 unsigned long pend; 190 unsigned long pend;
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index fe712a89a856..99cd8d9d891b 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -379,7 +379,8 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
379 hci_conn_hold(acl); 379 hci_conn_hold(acl);
380 380
381 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) { 381 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
382 acl->sec_level = sec_level; 382 acl->sec_level = BT_SECURITY_LOW;
383 acl->pending_sec_level = sec_level;
383 acl->auth_type = auth_type; 384 acl->auth_type = auth_type;
384 hci_acl_connect(acl); 385 hci_acl_connect(acl);
385 } 386 }
@@ -437,8 +438,11 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
437{ 438{
438 BT_DBG("conn %p", conn); 439 BT_DBG("conn %p", conn);
439 440
441 if (conn->pending_sec_level > sec_level)
442 sec_level = conn->pending_sec_level;
443
440 if (sec_level > conn->sec_level) 444 if (sec_level > conn->sec_level)
441 conn->sec_level = sec_level; 445 conn->pending_sec_level = sec_level;
442 else if (conn->link_mode & HCI_LM_AUTH) 446 else if (conn->link_mode & HCI_LM_AUTH)
443 return 1; 447 return 1;
444 448
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 38100170d380..a290854fdaa6 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -692,13 +692,13 @@ static int hci_outgoing_auth_needed(struct hci_dev *hdev,
692 if (conn->state != BT_CONFIG || !conn->out) 692 if (conn->state != BT_CONFIG || !conn->out)
693 return 0; 693 return 0;
694 694
695 if (conn->sec_level == BT_SECURITY_SDP) 695 if (conn->pending_sec_level == BT_SECURITY_SDP)
696 return 0; 696 return 0;
697 697
698 /* Only request authentication for SSP connections or non-SSP 698 /* Only request authentication for SSP connections or non-SSP
699 * devices with sec_level HIGH */ 699 * devices with sec_level HIGH */
700 if (!(hdev->ssp_mode > 0 && conn->ssp_mode > 0) && 700 if (!(hdev->ssp_mode > 0 && conn->ssp_mode > 0) &&
701 conn->sec_level != BT_SECURITY_HIGH) 701 conn->pending_sec_level != BT_SECURITY_HIGH)
702 return 0; 702 return 0;
703 703
704 return 1; 704 return 1;
@@ -1095,9 +1095,10 @@ static inline void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *s
1095 1095
1096 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 1096 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1097 if (conn) { 1097 if (conn) {
1098 if (!ev->status) 1098 if (!ev->status) {
1099 conn->link_mode |= HCI_LM_AUTH; 1099 conn->link_mode |= HCI_LM_AUTH;
1100 else 1100 conn->sec_level = conn->pending_sec_level;
1101 } else
1101 conn->sec_level = BT_SECURITY_LOW; 1102 conn->sec_level = BT_SECURITY_LOW;
1102 1103
1103 clear_bit(HCI_CONN_AUTH_PEND, &conn->pend); 1104 clear_bit(HCI_CONN_AUTH_PEND, &conn->pend);