From fb3a382fe44ed6fff4961fd3b5de52d5da1fb37e Mon Sep 17 00:00:00 2001 From: Chinmay Chhajed Date: Wed, 3 Feb 2021 18:55:17 +0530 Subject: [PATCH] Bluedroid: Do not initiate/accept connection with device having same BDADDR. Added BD_ADDR comparison in l2cu_lcp_allocate and removed check from security connection request handler as it's handled in l2cu_lcp_allocate for both connection request and create connection. --- components/bt/host/bluedroid/stack/btm/btm_sec.c | 9 --------- components/bt/host/bluedroid/stack/l2cap/l2c_utils.c | 11 +++++++++++ 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/components/bt/host/bluedroid/stack/btm/btm_sec.c b/components/bt/host/bluedroid/stack/btm/btm_sec.c index 1baa060287..3c55bf3803 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_sec.c +++ b/components/bt/host/bluedroid/stack/btm/btm_sec.c @@ -2630,15 +2630,6 @@ void btm_sec_conn_req (UINT8 *bda, UINT8 *dc) return; } - /* Check if peer device's and our BD_ADDR is same or not. It - should be different to avoid 'Impersonation in the Pin Pairing - Protocol' (CVE-2020-26555) vulnerability. */ - if (memcmp((uint8_t *)bda, (uint8_t *)&controller_get_interface()->get_address()->address, sizeof (BD_ADDR)) == 0) { - BTM_TRACE_ERROR ("Security Manager: connect request from device with same BD_ADDR"); - btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); - return; - } - /* Security guys wants us not to allow connection from not paired devices */ /* Check if connection is allowed for only paired devices */ diff --git a/components/bt/host/bluedroid/stack/l2cap/l2c_utils.c b/components/bt/host/bluedroid/stack/l2cap/l2c_utils.c index 882f59b5b1..6fb1c70d33 100644 --- a/components/bt/host/bluedroid/stack/l2cap/l2c_utils.c +++ b/components/bt/host/bluedroid/stack/l2cap/l2c_utils.c @@ -58,6 +58,17 @@ tL2C_LCB *l2cu_allocate_lcb (BD_ADDR p_bd_addr, BOOLEAN is_bonding, tBT_TRANSPOR if(p_lcb != NULL) { list_ret = true; } + +#if (CLASSIC_BT_INCLUDED == TRUE) + /* Check if peer device's and our BD_ADDR is same or not. It + should be different to avoid 'Impersonation in the Pin Pairing + Protocol' (CVE-2020-26555) vulnerability. */ + if (memcmp((uint8_t *)p_bd_addr, (uint8_t *)&controller_get_interface()->get_address()->address, sizeof (BD_ADDR)) == 0) { + L2CAP_TRACE_ERROR ("%s connection rejected due to same BD ADDR", __func__); + return (NULL); + } +#endif + if(p_lcb == NULL && list_length(l2cb.p_lcb_pool) < MAX_L2CAP_LINKS) { p_lcb = (tL2C_LCB *)osi_malloc(sizeof(tL2C_LCB)); if (p_lcb) {