Bluetooth: Mesh: Fix message replay protection

The Mesh Profile Specification states that replay protection must be done for all control and access messages. Furthermore, the replay protection list must be updated with the sequence from the last segment of a segmented message (the code was only updating based on SeqZero). Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2017-11-04 22:50:56 +02:00 · 2017-11-04 22:50:56 +02:00 · 8fe33607c6
commit 8fe33607c6
parent cad1f4ce7b
1 changed files with 14 additions and 6 deletions
--- a/subsys/bluetooth/host/mesh/transport.c
+++ b/subsys/bluetooth/host/mesh/transport.c
@ -567,12 +567,6 @@ static int sdu_recv(struct bt_mesh_net_rx *rx, u8_t hdr, u8_t mic_size,

 		rx->ctx.app_idx = key->app_idx;

-		if (is_replay(rx)) {
-			BT_WARN("Replay: src 0x%04x dst 0x%04x seq 0x%06x",
-				rx->ctx.addr, rx->dst, rx->seq);
-			return -EINVAL;
-		}
-
 		bt_mesh_model_recv(rx, sdu);
 		return 0;
 	}
@ -788,6 +782,12 @@ static int trans_unseg(struct net_buf_simple *buf, struct bt_mesh_net_rx *rx,
 		return -EINVAL;
 	}

+	if (rx->local_match && is_replay(rx)) {
+		BT_WARN("Replay: src 0x%04x dst 0x%04x seq 0x%06x",
+			rx->ctx.addr, rx->dst, rx->seq);
+		return -EINVAL;
+	}
+
 	hdr = net_buf_simple_pull_u8(buf);

 	if (rx->ctl) {
@ -1176,6 +1176,14 @@ found_rx:

 	BT_DBG("Complete SDU");

+	if (net_rx->local_match && is_replay(net_rx)) {
+		BT_WARN("Replay: src 0x%04x dst 0x%04x seq 0x%06x",
+			net_rx->ctx.addr, net_rx->dst, net_rx->seq);
+		/* Clear the segment's bit */
+		rx->block &= ~BIT(seg_o);
+		return -EINVAL;
+	}
+
 	*pdu_type = BT_MESH_FRIEND_PDU_COMPLETE;

 	/* Set the correct sequence number to be used with the App Nonce */