| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 27 Sep 2020 02:08:57 +0800
From: Archie Pusaka <apusaka@...gle.com>
To: linux-bluetooth <linux-bluetooth@...r.kernel.org>,
Marcel Holtmann <marcel@...tmann.org>
Cc: CrosBT Upstreaming <chromeos-bluetooth-upstreaming@...omium.org>,
Archie Pusaka <apusaka@...omium.org>,
Alain Michaud <alainm@...omium.org>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Johan Hedberg <johan.hedberg@...il.com>,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Subject: [PATCH v2] Bluetooth: send proper config param to unknown config request
From: Archie Pusaka <apusaka@...omium.org>
When receiving an L2CAP_CONFIGURATION_REQ with an unknown config
type, currently we will reply with L2CAP_CONFIGURATION_RSP with
a list of unknown types as the config param. However, this is not
a correct format of config param.
As described in the bluetooth spec v5.2, Vol 3, Part A, Sec 5,
the config param should consists of type, length, and optionally
data.
This patch copies the length and data from the received
L2CAP_CONFIGURATION_REQ and also appends them to the config param
of the corresponding L2CAP_CONFIGURATION_RSP to match the format
of the config param according to the spec.
Here's some btmon traces.
//------- Without Patch -------//
> ACL Data RX: Handle 256 flags 0x02 dlen 24 #58 [hci0] 21.570741
L2CAP: Configure Request (0x04) ident 5 len 16
Destination CID: 64
Flags: 0x0000
Option: Unknown (0x10) [mandatory]
10 00 11 02 11 00 12 02 12 00 ..........
< ACL Data TX: Handle 256 flags 0x00 dlen 17 #59 [hci0] 21.570892
L2CAP: Configure Response (0x05) ident 5 len 9
Source CID: 64
Flags: 0x0000
Result: Failure - unknown options (0x0003)
Option: Unknown (0x10) [mandatory]
12
// Btmon parses it wrong - we sent 10 11 12 instead of just 12.
//------- With Patch -------//
> ACL Data RX: Handle 256 flags 0x02 dlen 24 #58 [hci0] 22.188308
L2CAP: Configure Request (0x04) ident 9 len 16
Destination CID: 64
Flags: 0x0000
Option: Unknown (0x10) [mandatory]
10 00 11 02 11 00 12 02 12 00 ..........
< ACL Data TX: Handle 256 flags 0x00 dlen 26 #59 [hci0] 22.188516
L2CAP: Configure Response (0x05) ident 9 len 18
Source CID: 64
Flags: 0x0000
Result: Failure - unknown options (0x0003)
Option: Unknown (0x10) [mandatory]
10 00 11 02 11 00 12 02 12 00 ..........
Signed-off-by: Archie Pusaka <apusaka@...omium.org>
Reviewed-by: Alain Michaud <alainm@...omium.org>
---
Changes in v2:
* Add btmon traces in the commit message
net/bluetooth/l2cap_core.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 1ab27b90ddcb..4e65854b2f1c 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3627,7 +3627,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
if (hint)
break;
result = L2CAP_CONF_UNKNOWN;
- *((u8 *) ptr++) = type;
+ l2cap_add_conf_opt(&ptr, type, olen, val,
+ endptr - ptr);
break;
}
}
@@ -3658,7 +3659,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
}
done:
- if (chan->mode != rfc.mode) {
+ if (chan->mode != rfc.mode && result != L2CAP_CONF_UNKNOWN) {
result = L2CAP_CONF_UNACCEPT;
rfc.mode = chan->mode;
--
2.28.0.681.g6f77f65b4e-goog
Powered by blists - more mailing lists