mirror/btstack
1
0
Fork 0
mirror of https://github.com/bluekitchen/btstack.git synced 2025-02-23 00:39:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2020-26555: ignore NULL link key

Browse Source
This commit is contained in:
Matthias Ringwald 2021-06-22 17:26:01 +02:00
parent 79e0fa07b4
commit 3817f9dfcd
2 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGELOG.md
View File

@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
--- ---
## Unreleased ## Unreleased
### Added
### Fixed
### Changed
## Release v1.4.1
### Added ### Added
- GAP: emit GAP_EVENT_PAIRING_STARTED and GAP_EVENT_PAIRING_COMPLETE - GAP: emit GAP_EVENT_PAIRING_STARTED and GAP_EVENT_PAIRING_COMPLETE
@ -29,6 +35,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
- GAP: validate minimal service security level can be reached during pairing in responder role - GAP: validate minimal service security level can be reached during pairing in responder role
- L2CAP: don't trigger hci disconnect if l2cap security requirements are insufficient - L2CAP: don't trigger hci disconnect if l2cap security requirements are insufficient
- CVE-2020-26555: reject connections to and from devices with same BD ADDR - CVE-2020-26555: reject connections to and from devices with same BD ADDR
- CVE-2020-26555: ignore NULL link key
- CVE-2020-26558: abort LE Secure Connection pairing if remote uses the same public key - CVE-2020-26558: abort LE Secure Connection pairing if remote uses the same public key
## Release v1.4 ## Release v1.4

16
src/hci.c
View File

@ -2400,6 +2400,17 @@ static bool hci_ssp_security_level_possible_for_io_cap(gap_security_level_t leve
// LEVEL 2 requires SSP, which is a given // LEVEL 2 requires SSP, which is a given
return true; return true;
} }
static bool btstack_is_null(uint8_t * data, uint16_t size){
uint16_t i;
for (i=0; i < size ; i++){
if (data[i] != 0) {
return false;
}
}
return true;
}
#endif #endif
static void event_handler(uint8_t *packet, uint16_t size){ static void event_handler(uint8_t *packet, uint16_t size){
@ -2706,11 +2717,16 @@ static void event_handler(uint8_t *packet, uint16_t size){
hci_pairing_complete(conn, ERROR_CODE_SUCCESS); hci_pairing_complete(conn, ERROR_CODE_SUCCESS);
// CVE-2020-26555: ignore NULL link key
// default link_key_type = INVALID_LINK_KEY asserts that NULL key won't be used for encryption
if (btstack_is_null(&packet[8], 16)) break;
link_key_type_t link_key_type = (link_key_type_t)packet[24]; link_key_type_t link_key_type = (link_key_type_t)packet[24];
// Change Connection Encryption keeps link key type // Change Connection Encryption keeps link key type
if (link_key_type != CHANGED_COMBINATION_KEY){ if (link_key_type != CHANGED_COMBINATION_KEY){
conn->link_key_type = link_key_type; conn->link_key_type = link_key_type;
} }
// cache link key. link keys stored in little-endian format for legacy reasons // cache link key. link keys stored in little-endian format for legacy reasons
memcpy(&conn->link_key, &packet[8], 16); memcpy(&conn->link_key, &packet[8], 16);