acl_read_cb does not handle incoming (ACL) data
if BT_CTLR_TX_BUFFER_SIZE is greater than
USB_MAX_FS_BULK_MPS - BT_HCI_ACL_HDR_SIZE.
Since the host adjusts the data according to
the BT_CTLR_TX_BUFFER_SIZE and does not use ZLP
we cannot start usb_transfer over the possible length of
the whole packet, with or without USB_TRANS_NO_ZLP flag.
But we can read the packet length from the header and
call net_buf_put() when the whole packet is received.
Fixes: #31922
Reported-by: Matias Karhumaa <matias.karhumaa@gmail.com>
Signed-off-by: Johann Fischer <johann.fischer@nordicsemi.no>
Fail after pairing request and response have been exchanged if the
selected pairing method would not result in the required security level.
This avoids the case where we would discover this after having encrypted
the connection and disconnect instead.
This was partially attempted but lacked checking for authentication
requirement when L3 was required, as well as skipping the check if L4
was required but remote did not support Secure Connections since the
check was after we had taken the legacy branch.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Set the error in the security changed callback when the encryption has
not reached the required security level.
Terminate the pairing procedure in SMP on failure to avoid the security
changed callback being called twice in this case.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Terminate the pairing procedure when disconnected while this was in
progress. This notifies the application that security has failed and
removes the key entry.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Set the SMP flag encryption pending in the case where a bond exists
with ediv and rand equal to zero, i.e LE Secure Connections bond.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
When receiving unexpected SMP PDUs with no pairing procedures in
progress don't treat it as a pairing procedure that has failed.
This causes unexpected SMP PDUs to trigger the pairing failed and
security changed callback at unexpected times.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Add status only pairing failed callbacks (complete and failed) so that
these handlers can be added without providing the ability for MITM
pairing procedures.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Rename auth_err_get to security_err_get which better reflect the
error namespace it converts to. Also update to using the enum definition
instead of uint8_t for local variable holding returned value.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
when BT_PASSKEY_INVALID was set, it never updated the fixed
passkey which made its use ineffective
Signed-off-by: Faisal Saleem <faisal.saleem@setec.com.au>
The ATT request buffers are held until the ATT response has been
received. This means that the ATT request buffers are released by the
RX thread, instead of the from the RX priority context of
num_complete.
This can cause a deadlock in the RX thread when we allocate buffers
and all the available buffers are ATT requests, since the RX thread is
the only thread that can release buffers.
Release the ATT request buffers once they have been sent and instead
handle ATT request resending by reconstructing the buffer from the
GATT parameters.
Also re-order the order of resource allocation by allocating the
request context before the buffer. This ensures that we cannot
allocate more buffers for ATT requests than there are ATT requests.
Fixed a buf reference leak that could occur when the ATT request buffer
has been allocated, but GATT returns an error before handing the
responsebility of the buffer to ATT, for example when bt_att_req_alloc
fails.
This is fixed by moving the functionality of att_req_destroy to
bt_att_req_free.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Remove the ATT request destroy callback which is never assigned
by any of the ATT requests.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix indicate without func not working properly, when sent as a
non-req by GATT this has two propblems:
- The indicate would not be treated as a transaction, and back
to back indicate would be sent without waiting for the confirm
- The destroy callback would not be called on the indicate parameters
since the indicate_rsp callback would not be called.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
ATT channels do support queueing buffer so it no longer need to block
waiting the tx_sem besides the buffer allocation already serves the
same purpose as the application will not be able to have more requests
than there are buffers available.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Allow to request a higher security level during the key distribution
phase.
This is required by ATT and L2CAP since they only react to the encrypt
change event where they resend the current request.
The current request might require a higher security level still and
might have to request a higher security level before the pairing
procedure has been finished.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
When ATT resends an ATT request it is sent as a "response" instead of
as a request. This causes the ATT request buffer to be released and
the ATT request cannot be resent one more time.
This causes a problem when the ATT request requires authentication
but the elevation of security is not enforcing MITM protection.
In this case the ATT will first require security level 2 and then resend
the request once this has been reached.
This will lead to a new ATT error response and ATT will require security
level L3.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix the update keys check allowing to overwrite the keys when using
debug keys. Instead the check disallowed overwriting keys made using
debug keys.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix gatt write command returned "write in progress" when either
hex2bin or bt_gatt_write returned an error.
The write_params.func should not be set if the write command was not
successful.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Sets the sequence number when re-encrypting messages from the friend to
the lpn.
This is a regression from #28511.
Signed-off-by: Trond Einar Snekvik <Trond.Einar.Snekvik@nordicsemi.no>
Set app_idx and net_idx in the msg_ctx before calling
bt_mesh_keys_resolve when re-encrypting friend messages, as they'll be
referenced inside the function.
Signed-off-by: Trond Einar Snekvik <Trond.Einar.Snekvik@nordicsemi.no>
Move the public network request command from the end of `lorawan_start`
to the start of `lorawan_join`. This MAC command interacts with the
radio driver, bringing it out of sleep mode, and doesn't put it back.
The public network setting is only needed when joining a network, and
`lorawan_start` can be called well before `lorawan_join`. By moving the
command we save ~600uA before joining (for sx1262).
Signed-off-by: Jordan Yates <jordan.yates@data61.csiro.au>
Fix missing advertising PDU length initialization which
prevented advertising PDU to be transmitted by Radio. This
issue was reproduced when connectable undirected advertising
was enabled without setting an advertising data.
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
llvm 11 doesn't like having preprocessor directives in the expansion
of a macro used as a preprocessor conditional expression.
Signed-off-by: Peter Bigot <peter.bigot@nordicsemi.no>
After #31176, the network would get stored immediately in
bt_mesh_net_create, causing the address and devicekey to get stored as
their zero-initialized version, as they're only being set in the
bt_mesh_comp_provision call, which fires after.
Fixes#32067.
Signed-off-by: Trond Einar Snekvik <Trond.Einar.Snekvik@nordicsemi.no>
Fixes problem when fs_opendir invoked on fs_dir_t object,
which is already holding information on opened directory,
overwrites references to other memory objects within
the fs_dir_t object causing resource leak.
If fs_opendir is invoked on already used fs_dir_t object,
it will return
-EBUSY.
Note: The change requires that all fs_dir_t objects should be
initialized to 0.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The commit adds initializations of fs_dir_t variables in preparation
for fs_opendir function change that will require fs_dir_t object, passed
to the function, to be initialized before first usage.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Reduces some user confusion regarding whether it is related
to "Connection ID", "Channel ID", or "Company ID" for the
uninitiated.
Signed-off-by: Emil Hammarstrom <emil.hammarstrom@assaabloy.com>
Current 6lo implementation is unable to deal with scattered headers
(which should not happen usually, though it's a valid use case), so
let's just fail uncompressing such packet then.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Bogus fragmented packet could be sent without a FRAG1 fragment and hit
reassembly. Let's make sure this does not happen.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
In case the current packet is the same as the cached one, let's not
unreference it while clearing the cache.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Though ACK frames are not meant to reach L2 (drivers must ensure this
never happens), let's "re-enforce" the L2 by dropping them.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
All addressing mode but IEEE802154_ADDR_MODE_NONE should have a valid
address. If not, the frame is invalid.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Fix OpenISA port to include compiler memory barrier as in
commit 1a14f8b3a6 ("Bluetooth: controller: Use DMB instead
of DSB").
Relates to commit 1af2b91c23 ("Bluetooth: controller: Fix
Tx Buffer Overflow") and to commit ef2ece82c0 ("Bluetooth:
controller: openisa: Fix sanitycheck failures") and to
commit c2fc629dd2 ("Bluetooth: controller: 255 byte AD
payload support").
Fixes#31937.
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
Fix for OpenISA rv32m1_vega_ri5cy board not supporting
different IRQ Priority levels for LLL, ULL_HIGH and ULL_LOW
execution contexts.
Fixes#31937.
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
Fix BT_CTLR_ULL_HIGH_PRIO default value to equal
BT_CTLR_LLL_PRIO value if BT_CTLR_LOW_LAT is enabled, else
default ULL_HIGH to lower IRQ priority level in comparison
to LLL IRQ priority level. If BT_CTLR_ZLI is enabled,
BT_CTLR_ULL_HIGH_PRIO can default to a priority level value
of 0 and still be lower priority level than the LLL which
is placed at Zero Latency IRQ priority level (highest
priority in the CPU).
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
As network_decode needs a target buffer for decoding, the max PDU length
must be checked to prevent overflow on the target buffer. When receiving
a proxy configuration message with excessive length, there's no previous
check for this.
Also pulls the NET PDU length defines out into net.h, so they can be
used when defining the target buffers.
Signed-off-by: Trond Einar Snekvik <Trond.Einar.Snekvik@nordicsemi.no>
Restore the user requested datarate upon a successful join. Several
regions overwrite the configured datarate through `RegionAlternateDr`,
which means that for these regions, `LoRaMacQueryTxPossible` will not
be evaluating the requested datarate for the first transmission after
joining.
Fixes#31551.
Signed-off-by: Jordan Yates <jordan.yates@data61.csiro.au>
Validate datarates requested by users. As a side effect of this change
the MAC layer is immediately aware of updated datarates. Therefore
`LoRaMacQueryTxPossible` in `lorawan_send` will be using the same
datarate to evaluate the payload length as `LoRaMacMcpsRequest` is
requesting.
Fixes#31551.
Signed-off-by: Jordan Yates <jordan.yates@data61.csiro.au>
Query the default datarate for the configured region, instead of
assuming that the default is DR_0.
Signed-off-by: Jordan Yates <jordan.yates@data61.csiro.au>
