diff --git a/components/bt/controller/bt.c b/components/bt/controller/bt.c index bc76e63a40..e28406fdc6 100644 --- a/components/bt/controller/bt.c +++ b/components/bt/controller/bt.c @@ -374,6 +374,8 @@ SOC_RESERVE_MEMORY_REGION(SOC_MEM_BT_DATA_START, SOC_MEM_BT_DATA_END, static DRAM_ATTR struct osi_funcs_t *osi_funcs_p; +static uint8_t own_bda[6]; + #if CONFIG_SPIRAM_USE_MALLOC static DRAM_ATTR btdm_queue_item_t btdm_queue_table[BTDM_MAX_QUEUE_NUM]; static DRAM_ATTR SemaphoreHandle_t btdm_queue_table_mux = NULL; @@ -1256,6 +1258,7 @@ esp_err_t esp_bt_controller_init(esp_bt_controller_config_t *cfg) cfg->bt_max_sync_conn = CONFIG_BTDM_CTRL_BR_EDR_MAX_SYNC_CONN_EFF; cfg->magic = ESP_BT_CONTROLLER_CONFIG_MAGIC_VAL; + read_mac_wrapper(own_bda); if (((cfg->mode & ESP_BT_MODE_BLE) && (cfg->ble_max_conn <= 0 || cfg->ble_max_conn > BTDM_CONTROLLER_BLE_MAX_CONN_LIMIT)) || ((cfg->mode & ESP_BT_MODE_CLASSIC_BT) && (cfg->bt_max_acl_conn <= 0 || cfg->bt_max_acl_conn > BTDM_CONTROLLER_BR_EDR_MAX_ACL_CONN_LIMIT)) || ((cfg->mode & ESP_BT_MODE_CLASSIC_BT) && (cfg->bt_max_sync_conn > BTDM_CONTROLLER_BR_EDR_MAX_SYNC_CONN_LIMIT))) { @@ -1553,6 +1556,11 @@ esp_bt_controller_status_t esp_bt_controller_get_status(void) return btdm_controller_status; } +uint8_t* esp_bt_get_mac(void) +{ + return own_bda; +} + /* extra functions */ esp_err_t esp_ble_tx_power_set(esp_ble_power_type_t power_type, esp_power_level_t power_level) diff --git a/components/bt/host/bluedroid/stack/btm/btm_sec.c b/components/bt/host/bluedroid/stack/btm/btm_sec.c index e8ff1c9555..649ac4e316 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_sec.c +++ b/components/bt/host/bluedroid/stack/btm/btm_sec.c @@ -36,6 +36,7 @@ #include "osi/fixed_queue.h" #include "osi/alarm.h" #include "stack/btm_ble_api.h" +#include "esp_bt.h" #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE) /* needed for sprintf() */ @@ -2630,6 +2631,15 @@ void btm_sec_conn_req (UINT8 *bda, UINT8 *dc) return; } + /* Check if peer device's and our BD_ADDR is same or not. It + should be different to avoid 'Impersonation in the Pin Pairing + Protocol' (CVE-2020-26555) vulnerability. */ + if (memcmp(bda, esp_bt_get_mac(), sizeof (BD_ADDR)) == 0) { + BTM_TRACE_ERROR ("Security Manager: connect request from device with same BD_ADDR\n"); + btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); + return; + } + /* Security guys wants us not to allow connection from not paired devices */ /* Check if connection is allowed for only paired devices */ diff --git a/components/bt/host/bluedroid/stack/btm/include/btm_int.h b/components/bt/host/bluedroid/stack/btm/include/btm_int.h index 3e93f96e68..3ab53703d3 100644 --- a/components/bt/host/bluedroid/stack/btm/include/btm_int.h +++ b/components/bt/host/bluedroid/stack/btm/include/btm_int.h @@ -761,7 +761,7 @@ enum { BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP, /* Waiting for local response to peer OOB data */ BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS, /* Waiting for local IO capabilities and OOB data */ BTM_PAIR_STATE_INCOMING_SSP, /* Incoming SSP (got peer IO caps when idle) */ - BTM_PAIR_STATE_WAIT_AUTH_COMPLETE, /* All done, waiting authentication cpmplete */ + BTM_PAIR_STATE_WAIT_AUTH_COMPLETE, /* All done, waiting authentication complete */ BTM_PAIR_STATE_WAIT_DISCONNECT /* Waiting to disconnect the ACL */ }; typedef UINT8 tBTM_PAIRING_STATE; diff --git a/components/bt/include/esp_bt.h b/components/bt/include/esp_bt.h index c06ab4e802..dc6019d21b 100644 --- a/components/bt/include/esp_bt.h +++ b/components/bt/include/esp_bt.h @@ -351,6 +351,12 @@ esp_err_t esp_bt_controller_disable(void); */ esp_bt_controller_status_t esp_bt_controller_get_status(void); +/** + * @brief Get BT MAC address. + * @return Array pointer of length 6 storing MAC address value. + */ +uint8_t* esp_bt_get_mac(void); + /** @brief esp_vhci_host_callback * used for vhci call host function to notify what host need to do */