diff options
| author | Johan Hedberg <johan.hedberg@intel.com> | 2013-01-20 07:27:19 -0500 |
|---|---|---|
| committer | Gustavo Padovan <gustavo.padovan@collabora.co.uk> | 2013-01-22 22:59:55 -0500 |
| commit | 4ee71b2017336f68128515bdbe7c946a39aa9250 (patch) | |
| tree | 46ba5e222954a6a9d66af48dbf8ad19b693990bf /net | |
| parent | 679efe2b4fcbe575bc4c94c410039e35c169bfb6 (diff) | |
Bluetooth: Fix checking for valid address type values in mgmt commands
This patch adds checks for valid address type values passed to mgmt
commands. If an invalid address type is encountered the code will return
a proper invalid params response.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Diffstat (limited to 'net')
| -rw-r--r-- | net/bluetooth/mgmt.c | 36 |
1 files changed, 34 insertions, 2 deletions
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index bc04c444c98e..7dd2de1c2152 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c | |||
| @@ -1526,6 +1526,14 @@ static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data, | |||
| 1526 | BT_DBG("%s debug_keys %u key_count %u", hdev->name, cp->debug_keys, | 1526 | BT_DBG("%s debug_keys %u key_count %u", hdev->name, cp->debug_keys, |
| 1527 | key_count); | 1527 | key_count); |
| 1528 | 1528 | ||
| 1529 | for (i = 0; i < key_count; i++) { | ||
| 1530 | struct mgmt_link_key_info *key = &cp->keys[i]; | ||
| 1531 | |||
| 1532 | if (key->addr.type != BDADDR_BREDR) | ||
| 1533 | return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, | ||
| 1534 | MGMT_STATUS_INVALID_PARAMS); | ||
| 1535 | } | ||
| 1536 | |||
| 1529 | hci_dev_lock(hdev); | 1537 | hci_dev_lock(hdev); |
| 1530 | 1538 | ||
| 1531 | hci_link_keys_clear(hdev); | 1539 | hci_link_keys_clear(hdev); |
| @@ -1573,12 +1581,17 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data, | |||
| 1573 | struct hci_conn *conn; | 1581 | struct hci_conn *conn; |
| 1574 | int err; | 1582 | int err; |
| 1575 | 1583 | ||
| 1576 | hci_dev_lock(hdev); | ||
| 1577 | |||
| 1578 | memset(&rp, 0, sizeof(rp)); | 1584 | memset(&rp, 0, sizeof(rp)); |
| 1579 | bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr); | 1585 | bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr); |
| 1580 | rp.addr.type = cp->addr.type; | 1586 | rp.addr.type = cp->addr.type; |
| 1581 | 1587 | ||
| 1588 | if (!bdaddr_type_is_valid(cp->addr.type)) | ||
| 1589 | return cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, | ||
| 1590 | MGMT_STATUS_INVALID_PARAMS, | ||
| 1591 | &rp, sizeof(rp)); | ||
| 1592 | |||
| 1593 | hci_dev_lock(hdev); | ||
| 1594 | |||
| 1582 | if (!hdev_is_powered(hdev)) { | 1595 | if (!hdev_is_powered(hdev)) { |
| 1583 | err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, | 1596 | err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, |
| 1584 | MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp)); | 1597 | MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp)); |
| @@ -1643,6 +1656,10 @@ static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data, | |||
| 1643 | 1656 | ||
| 1644 | BT_DBG(""); | 1657 | BT_DBG(""); |
| 1645 | 1658 | ||
| 1659 | if (!bdaddr_type_is_valid(cp->addr.type)) | ||
| 1660 | return cmd_status(sk, hdev->id, MGMT_OP_DISCONNECT, | ||
| 1661 | MGMT_STATUS_INVALID_PARAMS); | ||
| 1662 | |||
| 1646 | hci_dev_lock(hdev); | 1663 | hci_dev_lock(hdev); |
| 1647 | 1664 | ||
| 1648 | if (!test_bit(HCI_UP, &hdev->flags)) { | 1665 | if (!test_bit(HCI_UP, &hdev->flags)) { |
| @@ -1947,6 +1964,11 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data, | |||
| 1947 | bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr); | 1964 | bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr); |
| 1948 | rp.addr.type = cp->addr.type; | 1965 | rp.addr.type = cp->addr.type; |
| 1949 | 1966 | ||
| 1967 | if (!bdaddr_type_is_valid(cp->addr.type)) | ||
| 1968 | return cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE, | ||
| 1969 | MGMT_STATUS_INVALID_PARAMS, | ||
| 1970 | &rp, sizeof(rp)); | ||
| 1971 | |||
| 1950 | hci_dev_lock(hdev); | 1972 | hci_dev_lock(hdev); |
| 1951 | 1973 | ||
| 1952 | if (!hdev_is_powered(hdev)) { | 1974 | if (!hdev_is_powered(hdev)) { |
| @@ -2564,6 +2586,10 @@ static int block_device(struct sock *sk, struct hci_dev *hdev, void *data, | |||
| 2564 | 2586 | ||
| 2565 | BT_DBG("%s", hdev->name); | 2587 | BT_DBG("%s", hdev->name); |
| 2566 | 2588 | ||
| 2589 | if (!bdaddr_type_is_valid(cp->addr.type)) | ||
| 2590 | return cmd_status(sk, hdev->id, MGMT_OP_BLOCK_DEVICE, | ||
| 2591 | MGMT_STATUS_INVALID_PARAMS); | ||
| 2592 | |||
| 2567 | hci_dev_lock(hdev); | 2593 | hci_dev_lock(hdev); |
| 2568 | 2594 | ||
| 2569 | err = hci_blacklist_add(hdev, &cp->addr.bdaddr, cp->addr.type); | 2595 | err = hci_blacklist_add(hdev, &cp->addr.bdaddr, cp->addr.type); |
| @@ -2589,6 +2615,10 @@ static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data, | |||
| 2589 | 2615 | ||
| 2590 | BT_DBG("%s", hdev->name); | 2616 | BT_DBG("%s", hdev->name); |
| 2591 | 2617 | ||
| 2618 | if (!bdaddr_type_is_valid(cp->addr.type)) | ||
| 2619 | return cmd_status(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE, | ||
| 2620 | MGMT_STATUS_INVALID_PARAMS); | ||
| 2621 | |||
| 2592 | hci_dev_lock(hdev); | 2622 | hci_dev_lock(hdev); |
| 2593 | 2623 | ||
| 2594 | err = hci_blacklist_del(hdev, &cp->addr.bdaddr, cp->addr.type); | 2624 | err = hci_blacklist_del(hdev, &cp->addr.bdaddr, cp->addr.type); |
| @@ -2707,6 +2737,8 @@ static bool ltk_is_valid(struct mgmt_ltk_info *key) | |||
| 2707 | return false; | 2737 | return false; |
| 2708 | if (key->master != 0x00 && key->master != 0x01) | 2738 | if (key->master != 0x00 && key->master != 0x01) |
| 2709 | return false; | 2739 | return false; |
| 2740 | if (!bdaddr_type_is_le(key->addr.type)) | ||
| 2741 | return false; | ||
| 2710 | return true; | 2742 | return true; |
| 2711 | } | 2743 | } |
| 2712 | 2744 | ||