Google Git
Sign in
android/platform/packages/modules/Bluetooth/2f0cf867e27af9048821d332ecbd21ddf234888c^!/.
commit
2f0cf867e27af9048821d332ecbd21ddf234888c
[log] [tgz]
author
Brian Delwiche <delwiche@google.com>
Mon Oct 14 22:50:55 2024 +0000
committer
Android Build Coastguard Worker <android-build-coastguard-worker@google.com>
Wed Nov 06 23:37:27 2024 +0000
tree
a26329b0b2c80fbe1a8a34e868c79b79f5a2598e
parent
de80ed652d2dcc727562b93531bffc2995c6b4cb [diff]
Resolve incomplete fix for SMP authentication bypass

Fix for b/251514170 was landed correctly on main, but in older branches
SMP contains identical functions smp_proc_init and smp_proc_rand, both
of which exhibit the problem, and only the former of which was patched.
This allows the problem to still appear on branches from sc-dev to
udc-dev.

Add the logic to smp_proc_rand.

Bug: 251514170
Test: m com.android.btservices
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9b6737a08f5718b6400ffe78b494cb5f0779e56e)
Merged-In: I51e99c18a322a29632a6cac09ddb2b07bea482fc
Change-Id: I51e99c18a322a29632a6cac09ddb2b07bea482fc

diff --git a/system/stack/smp/smp_act.cc b/system/stack/smp/smp_act.cc
index bbbf3dc2..5dbef58 100644
--- a/system/stack/smp/smp_act.cc
+++ b/system/stack/smp/smp_act.cc

@@ -686,6 +686,17 @@
     return;
   }
 
+  if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
+        (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
+      !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {
+    // in legacy pairing, the peer should send its rand after
+    // we send our confirm
+    tSMP_INT_DATA smp_int_data{};
+    smp_int_data.status = SMP_INVALID_PARAMETERS;
+    smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
+    return;
+  }
+
   /* save the SRand for comparison */
   STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
 }