Skip to content

Commit b08e572

Browse files
joerchancarlescufi
authored andcommitted
Bluetooth: host: check return value of bt_rand when creating identities
Check the return value of bt_rand when creating identities. Failure to generate a random IRK would result in the privacy feature being compromised. Fixes: #38120 Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
1 parent 884ebbb commit b08e572

File tree

3 files changed

+48
-17
lines changed

3 files changed

+48
-17
lines changed

subsys/bluetooth/host/hci_core.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -396,7 +396,7 @@ void bt_id_add(struct bt_keys *keys);
396396
void bt_id_del(struct bt_keys *keys);
397397

398398
int bt_setup_random_id_addr(void);
399-
void bt_setup_public_id_addr(void);
399+
int bt_setup_public_id_addr(void);
400400

401401
void bt_finalize_init(void);
402402

subsys/bluetooth/host/id.c

Lines changed: 40 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -962,15 +962,20 @@ static int id_find(const bt_addr_le_t *addr)
962962
return -ENOENT;
963963
}
964964

965-
static void id_create(uint8_t id, bt_addr_le_t *addr, uint8_t *irk)
965+
static int id_create(uint8_t id, bt_addr_le_t *addr, uint8_t *irk)
966966
{
967967
if (addr && bt_addr_le_cmp(addr, BT_ADDR_LE_ANY)) {
968968
bt_addr_le_copy(&bt_dev.id_addr[id], addr);
969969
} else {
970970
bt_addr_le_t new_addr;
971971

972972
do {
973-
bt_addr_le_create_static(&new_addr);
973+
int err;
974+
975+
err = bt_addr_le_create_static(&new_addr);
976+
if (err) {
977+
return err;
978+
}
974979
/* Make sure we didn't generate a duplicate */
975980
} while (id_find(&new_addr) >= 0);
976981

@@ -988,7 +993,13 @@ static void id_create(uint8_t id, bt_addr_le_t *addr, uint8_t *irk)
988993
if (irk && memcmp(irk, zero_irk, 16)) {
989994
memcpy(&bt_dev.irk[id], irk, 16);
990995
} else {
991-
bt_rand(&bt_dev.irk[id], 16);
996+
int err;
997+
998+
err = bt_rand(&bt_dev.irk[id], 16);
999+
if (err) {
1000+
return err;
1001+
}
1002+
9921003
if (irk) {
9931004
memcpy(irk, &bt_dev.irk[id], 16);
9941005
}
@@ -1003,11 +1014,13 @@ static void id_create(uint8_t id, bt_addr_le_t *addr, uint8_t *irk)
10031014
atomic_test_bit(bt_dev.flags, BT_DEV_READY)) {
10041015
bt_settings_save_id();
10051016
}
1017+
1018+
return 0;
10061019
}
10071020

10081021
int bt_id_create(bt_addr_le_t *addr, uint8_t *irk)
10091022
{
1010-
int new_id;
1023+
int new_id, err;
10111024

10121025
if (addr && bt_addr_le_cmp(addr, BT_ADDR_LE_ANY)) {
10131026
if (addr->type != BT_ADDR_LE_RANDOM ||
@@ -1044,13 +1057,18 @@ int bt_id_create(bt_addr_le_t *addr, uint8_t *irk)
10441057
}
10451058

10461059
new_id = bt_dev.id_count++;
1047-
id_create(new_id, addr, irk);
1060+
err = id_create(new_id, addr, irk);
1061+
if (err) {
1062+
return err;
1063+
}
10481064

10491065
return new_id;
10501066
}
10511067

10521068
int bt_id_reset(uint8_t id, bt_addr_le_t *addr, uint8_t *irk)
10531069
{
1070+
int err;
1071+
10541072
if (addr && bt_addr_le_cmp(addr, BT_ADDR_LE_ANY)) {
10551073
if (addr->type != BT_ADDR_LE_RANDOM ||
10561074
!BT_ADDR_IS_STATIC(&addr->a)) {
@@ -1085,15 +1103,16 @@ int bt_id_reset(uint8_t id, bt_addr_le_t *addr, uint8_t *irk)
10851103

10861104
if (IS_ENABLED(CONFIG_BT_CONN) &&
10871105
bt_addr_le_cmp(&bt_dev.id_addr[id], BT_ADDR_LE_ANY)) {
1088-
int err;
1089-
10901106
err = bt_unpair(id, NULL);
10911107
if (err) {
10921108
return err;
10931109
}
10941110
}
10951111

1096-
id_create(id, addr, irk);
1112+
err = id_create(id, addr, irk);
1113+
if (err) {
1114+
return err;
1115+
}
10971116

10981117
return id;
10991118
}
@@ -1212,15 +1231,15 @@ uint8_t bt_id_read_public_addr(bt_addr_le_t *addr)
12121231
return 1U;
12131232
}
12141233

1215-
void bt_setup_public_id_addr(void)
1234+
int bt_setup_public_id_addr(void)
12161235
{
12171236
bt_addr_le_t addr;
12181237
uint8_t *irk = NULL;
12191238

12201239
bt_dev.id_count = bt_id_read_public_addr(&addr);
12211240

12221241
if (!bt_dev.id_count) {
1223-
return;
1242+
return 0;
12241243
}
12251244

12261245
#if defined(CONFIG_BT_PRIVACY)
@@ -1236,7 +1255,7 @@ void bt_setup_public_id_addr(void)
12361255
}
12371256
#endif /* defined(CONFIG_BT_PRIVACY) */
12381257

1239-
id_create(BT_ID_DEFAULT, &addr, irk);
1258+
return id_create(BT_ID_DEFAULT, &addr, irk);
12401259
}
12411260

12421261
#if defined(CONFIG_BT_HCI_VS_EXT)
@@ -1303,6 +1322,7 @@ int bt_setup_random_id_addr(void)
13031322

13041323
if (bt_dev.id_count) {
13051324
for (uint8_t i = 0; i < bt_dev.id_count; i++) {
1325+
int err;
13061326
bt_addr_le_t addr;
13071327
uint8_t *irk = NULL;
13081328
#if defined(CONFIG_BT_PRIVACY)
@@ -1319,7 +1339,10 @@ int bt_setup_random_id_addr(void)
13191339
bt_addr_copy(&addr.a, &addrs[i].bdaddr);
13201340
addr.type = BT_ADDR_LE_RANDOM;
13211341

1322-
id_create(i, &addr, irk);
1342+
err = id_create(i, &addr, irk);
1343+
if (err) {
1344+
return err;
1345+
}
13231346
}
13241347

13251348
return 0;
@@ -1732,7 +1755,11 @@ int bt_id_init(void)
17321755
if (!IS_ENABLED(CONFIG_BT_SETTINGS) && !bt_dev.id_count) {
17331756
BT_DBG("No user identity. Trying to set public.");
17341757

1735-
bt_setup_public_id_addr();
1758+
err = bt_setup_public_id_addr();
1759+
if (err) {
1760+
BT_ERR("Unable to set identity address");
1761+
return err;
1762+
}
17361763
}
17371764

17381765
if (!IS_ENABLED(CONFIG_BT_SETTINGS) && !bt_dev.id_count) {

subsys/bluetooth/host/settings.c

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -231,6 +231,8 @@ void bt_settings_save_id(void)
231231

232232
static int commit(void)
233233
{
234+
int err;
235+
234236
BT_DBG("");
235237

236238
#if defined(CONFIG_BT_DEVICE_NAME_DYNAMIC)
@@ -239,12 +241,14 @@ static int commit(void)
239241
}
240242
#endif
241243
if (!bt_dev.id_count) {
242-
bt_setup_public_id_addr();
244+
err = bt_setup_public_id_addr();
245+
if (err) {
246+
BT_ERR("Unable to setup an identity address");
247+
return err;
248+
}
243249
}
244250

245251
if (!bt_dev.id_count) {
246-
int err;
247-
248252
err = bt_setup_random_id_addr();
249253
if (err) {
250254
BT_ERR("Unable to setup an identity address");

0 commit comments

Comments
 (0)