From 092dc133cc0611a6bdf59dc65948d6de4ac5310c Mon Sep 17 00:00:00 2001 From: Chinmay Chhajed Date: Thu, 14 Jan 2021 14:32:58 +0530 Subject: [PATCH] Bluedroid: Do not connect if peer BD_ADDR is same as own BD_ADDR. --- components/bt/bluedroid/stack/btm/btm_sec.c | 10 ++++++++++ components/bt/bluedroid/stack/btm/include/btm_int.h | 2 +- components/bt/bt.c | 8 ++++++++ components/bt/include/esp_bt.h | 6 ++++++ 4 files changed, 25 insertions(+), 1 deletion(-) diff --git a/components/bt/bluedroid/stack/btm/btm_sec.c b/components/bt/bluedroid/stack/btm/btm_sec.c index fad74e1e10..d58d5261b4 100644 --- a/components/bt/bluedroid/stack/btm/btm_sec.c +++ b/components/bt/bluedroid/stack/btm/btm_sec.c @@ -35,6 +35,7 @@ #include "l2c_int.h" #include "osi/fixed_queue.h" #include "osi/alarm.h" +#include "esp_bt.h" #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE) /* needed for sprintf() */ @@ -2616,6 +2617,15 @@ void btm_sec_conn_req (UINT8 *bda, UINT8 *dc) return; } + /* Check if peer device's and our BD_ADDR is same or not. It + should be different to avoid 'Impersonation in the Pin Pairing + Protocol' (CVE-2020-26555) vulnerability. */ + if (memcmp(bda, esp_bt_get_mac(), sizeof (BD_ADDR)) == 0) { + BTM_TRACE_ERROR ("Security Manager: connect request from device with same BD_ADDR\n"); + btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); + return; + } + /* Security guys wants us not to allow connection from not paired devices */ /* Check if connection is allowed for only paired devices */ diff --git a/components/bt/bluedroid/stack/btm/include/btm_int.h b/components/bt/bluedroid/stack/btm/include/btm_int.h index ec06bd6f8a..f284796315 100644 --- a/components/bt/bluedroid/stack/btm/include/btm_int.h +++ b/components/bt/bluedroid/stack/btm/include/btm_int.h @@ -735,7 +735,7 @@ enum { BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP, /* Waiting for local response to peer OOB data */ BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS, /* Waiting for local IO capabilities and OOB data */ BTM_PAIR_STATE_INCOMING_SSP, /* Incoming SSP (got peer IO caps when idle) */ - BTM_PAIR_STATE_WAIT_AUTH_COMPLETE, /* All done, waiting authentication cpmplete */ + BTM_PAIR_STATE_WAIT_AUTH_COMPLETE, /* All done, waiting authentication complete */ BTM_PAIR_STATE_WAIT_DISCONNECT /* Waiting to disconnect the ACL */ }; typedef UINT8 tBTM_PAIRING_STATE; diff --git a/components/bt/bt.c b/components/bt/bt.c index e9e7009409..40db4647d7 100644 --- a/components/bt/bt.c +++ b/components/bt/bt.c @@ -401,6 +401,8 @@ SOC_RESERVE_MEMORY_REGION(SOC_MEM_BT_DATA_START, SOC_MEM_BT_DATA_END, static DRAM_ATTR struct osi_funcs_t *osi_funcs_p; +static uint8_t own_bda[6]; + #if CONFIG_SPIRAM_USE_MALLOC static DRAM_ATTR btdm_queue_item_t btdm_queue_table[BTDM_MAX_QUEUE_NUM]; static DRAM_ATTR SemaphoreHandle_t btdm_queue_table_mux = NULL; @@ -1343,6 +1345,7 @@ esp_err_t esp_bt_controller_init(esp_bt_controller_config_t *cfg) cfg->bt_max_sync_conn = CONFIG_BTDM_CONTROLLER_BR_EDR_MAX_SYNC_CONN_EFF; cfg->magic = ESP_BT_CONTROLLER_CONFIG_MAGIC_VAL; + read_mac_wrapper(own_bda); if (((cfg->mode & ESP_BT_MODE_BLE) && (cfg->ble_max_conn <= 0 || cfg->ble_max_conn > BTDM_CONTROLLER_BLE_MAX_CONN_LIMIT)) || ((cfg->mode & ESP_BT_MODE_CLASSIC_BT) && (cfg->bt_max_acl_conn <= 0 || cfg->bt_max_acl_conn > BTDM_CONTROLLER_BR_EDR_MAX_ACL_CONN_LIMIT)) || ((cfg->mode & ESP_BT_MODE_CLASSIC_BT) && (cfg->bt_max_sync_conn > BTDM_CONTROLLER_BR_EDR_MAX_SYNC_CONN_LIMIT))) { @@ -1611,6 +1614,11 @@ esp_bt_controller_status_t esp_bt_controller_get_status(void) return btdm_controller_status; } +uint8_t* esp_bt_get_mac(void) +{ + return own_bda; +} + /* extra functions */ esp_err_t esp_ble_tx_power_set(esp_ble_power_type_t power_type, esp_power_level_t power_level) diff --git a/components/bt/include/esp_bt.h b/components/bt/include/esp_bt.h index f9d79487ba..c2c5811d1e 100644 --- a/components/bt/include/esp_bt.h +++ b/components/bt/include/esp_bt.h @@ -331,6 +331,12 @@ esp_err_t esp_bt_controller_disable(void); */ esp_bt_controller_status_t esp_bt_controller_get_status(void); +/** + * @brief Get BT MAC address. + * @return Array pointer of length 6 storing MAC address value. + */ +uint8_t* esp_bt_get_mac(void); + /** @brief esp_vhci_host_callback * used for vhci call host function to notify what host need to do */