michaelh/zephyr
1
0
Fork 0
Code Releases Activity

Bluetooth: controller: Send unknown rsp to unexpected ENC ctrl PDU

Browse source 
Send unknown rsp instead of asserting when encryption related control
PDUs are received in the wrong state.
This would allow an attacker to intentionally crash the device.

Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
This commit is contained in:
Joakim Andersson 2019-04-04 12:10:51 +02:00 committed by Carles Cufí
commit 0e7bf9b657
1 changed files with 9 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

13
subsys/bluetooth/controller/ll_sw/ctrl.c
View file

@ -2645,9 +2645,12 @@ isr_rx_conn_pkt_ctrl(struct radio_pdu_node_rx *node_rx,
break;
case PDU_DATA_LLCTRL_TYPE_START_ENC_REQ:
LL_ASSERT((_radio.conn_curr->llcp_req ==
if (!((_radio.conn_curr->llcp_req ==
_radio.conn_curr->llcp_ack) ||
(_radio.conn_curr->llcp_type == LLCP_ENCRYPTION));
(_radio.conn_curr->llcp_type == LLCP_ENCRYPTION))) {
goto isr_rx_conn_unknown_rsp_send;
}
if (_radio.conn_curr->role ||
!pdu_len_cmp(PDU_DATA_LLCTRL_TYPE_START_ENC_REQ,
@ -2669,10 +2672,12 @@ isr_rx_conn_pkt_ctrl(struct radio_pdu_node_rx *node_rx,
if (_radio.role == ROLE_SLAVE) {
#if !defined(CONFIG_BT_CTLR_FAST_ENC)
LL_ASSERT((_radio.conn_curr->llcp_req ==
if (!((_radio.conn_curr->llcp_req ==
_radio.conn_curr->llcp_ack) ||
(_radio.conn_curr->llcp_type ==
LLCP_ENCRYPTION));
LLCP_ENCRYPTION))) {
goto isr_rx_conn_unknown_rsp_send;
}
/* start enc rsp to be scheduled in slave prepare */
_radio.conn_curr->llcp_encryption.initiate = 0U;