Change pairing_cb to assume temporary pairing by default
When pairing takes place, the pairing_cb.is_temp flag indicates whether
a pairing is temporary or permanent. Link keys are not stored for
temporary pairings. Since this is a "positive" flag, resetting the
pairing_cb control block (ex. memset to 0), it will assume persistent
pairing by default. Under certain circumstances, this can lead to a link
key being stored for temporarily secured connection.
This patch reverses the flag to be a "negative" flag. Renamed to
"persistent_bond", the default 0 meaning is now used to indicate a
temporary bond. If the lag is not properly set now, it will default to a
temporary bond and will not save the link key erronously.
This fix is for CVE-2014-7914
Bug: 18345373
Change-Id: I6e821595877ff30d64dc6e33602ac049cab3dd1e
diff --git a/btif/src/btif_dm.c b/btif/src/btif_dm.c
index c8e1bac..46eac66 100644
--- a/btif/src/btif_dm.c
+++ b/btif/src/btif_dm.c
@@ -111,11 +111,15 @@
#define MAX_SDP_BL_ENTRIES 3
+#define BOND_TYPE_UNKNOWN 0
+#define BOND_TYPE_PERSISTENT 1
+#define BOND_TYPE_TEMPORARY 2
+
typedef struct
{
bt_bond_state_t state;
BD_ADDR bd_addr;
- UINT8 is_temp;
+ UINT8 bond_type;
UINT8 pin_code_len;
UINT8 is_ssp;
UINT8 auth_req;
@@ -469,7 +473,7 @@
if ( (pairing_cb.state == state) && (state == BT_BOND_STATE_BONDING) )
return;
- if (pairing_cb.is_temp)
+ if (pairing_cb.bond_type == BOND_TYPE_TEMPORARY)
{
state = BT_BOND_STATE_NONE;
}
@@ -897,9 +901,9 @@
if (p_ssp_cfm_req->just_works && !(p_ssp_cfm_req->loc_auth_req & BTM_AUTH_BONDS) &&
!(p_ssp_cfm_req->rmt_auth_req & BTM_AUTH_BONDS) &&
!(check_cod((bt_bdaddr_t*)&p_ssp_cfm_req->bd_addr, COD_HID_POINTING)))
- pairing_cb.is_temp = TRUE;
+ pairing_cb.bond_type = BOND_TYPE_TEMPORARY;
else
- pairing_cb.is_temp = FALSE;
+ pairing_cb.bond_type = BOND_TYPE_PERSISTENT;
pairing_cb.is_ssp = TRUE;
@@ -987,11 +991,11 @@
if ( (p_auth_cmpl->success == TRUE) && (p_auth_cmpl->key_present) )
{
if ((p_auth_cmpl->key_type < HCI_LKEY_TYPE_DEBUG_COMB) || (p_auth_cmpl->key_type == HCI_LKEY_TYPE_AUTH_COMB) ||
- (p_auth_cmpl->key_type == HCI_LKEY_TYPE_CHANGED_COMB) || (!pairing_cb.is_temp))
+ (p_auth_cmpl->key_type == HCI_LKEY_TYPE_CHANGED_COMB) || pairing_cb.bond_type == BOND_TYPE_PERSISTENT)
{
bt_status_t ret;
- BTIF_TRACE_DEBUG("%s: Storing link key. key_type=0x%x, is_temp=%d",
- __FUNCTION__, p_auth_cmpl->key_type, pairing_cb.is_temp);
+ BTIF_TRACE_DEBUG("%s: Storing link key. key_type=0x%x, bond_type=%d",
+ __FUNCTION__, p_auth_cmpl->key_type, pairing_cb.bond_type);
ret = btif_storage_add_bonded_device(&bd_addr,
p_auth_cmpl->key, p_auth_cmpl->key_type,
pairing_cb.pin_code_len);
@@ -999,9 +1003,9 @@
}
else
{
- BTIF_TRACE_DEBUG("%s: Temporary key. Not storing. key_type=0x%x, is_temp=%d",
- __FUNCTION__, p_auth_cmpl->key_type, pairing_cb.is_temp);
- if(pairing_cb.is_temp)
+ BTIF_TRACE_DEBUG("%s: Temporary key. Not storing. key_type=0x%x, bond_type=%d",
+ __FUNCTION__, p_auth_cmpl->key_type, pairing_cb.bond_type);
+ if(pairing_cb.bond_type == BOND_TYPE_TEMPORARY)
{
BTIF_TRACE_DEBUG("%s: sending BT_BOND_STATE_NONE for Temp pairing",
__FUNCTION__);
@@ -2945,7 +2949,7 @@
bond_state_changed(BT_STATUS_SUCCESS, &bd_addr, BT_BOND_STATE_BONDING);
- pairing_cb.is_temp = FALSE;
+ pairing_cb.bond_type = BOND_TYPE_PERSISTENT;
pairing_cb.is_le_only = TRUE;
pairing_cb.is_ssp = TRUE;
