Merge branch 'bugfix/ignore_null_valued_comb_key' into 'master'

component/bt: Added check for NULL valued combination key. See merge request espressif/esp-idf!12239
2025-11-04 06:11:06 +00:00 · 2021-02-09 19:49:25 +08:00
parent 3f821b1d65 368ba6b077
commit b88ec36635
6 changed files with 12 additions and 37 deletions
--- a/components/bt/controller/esp32/bt.c
+++ b/components/bt/controller/esp32/bt.c
@@ -374,8 +374,6 @@ SOC_RESERVE_MEMORY_REGION(SOC_MEM_BT_DATA_START, SOC_MEM_BT_DATA_END,

 static DRAM_ATTR struct osi_funcs_t *osi_funcs_p;

-static uint8_t own_bda[6];
-
 #if CONFIG_SPIRAM_USE_MALLOC
 static DRAM_ATTR btdm_queue_item_t btdm_queue_table[BTDM_MAX_QUEUE_NUM];
 static DRAM_ATTR SemaphoreHandle_t btdm_queue_table_mux = NULL;
@@ -1258,7 +1256,6 @@ esp_err_t esp_bt_controller_init(esp_bt_controller_config_t *cfg)
    cfg->bt_max_sync_conn = CONFIG_BTDM_CTRL_BR_EDR_MAX_SYNC_CONN_EFF;
    cfg->magic  = ESP_BT_CONTROLLER_CONFIG_MAGIC_VAL;

-    read_mac_wrapper(own_bda);
    if (((cfg->mode & ESP_BT_MODE_BLE) && (cfg->ble_max_conn <= 0 || cfg->ble_max_conn > BTDM_CONTROLLER_BLE_MAX_CONN_LIMIT))
            || ((cfg->mode & ESP_BT_MODE_CLASSIC_BT) && (cfg->bt_max_acl_conn <= 0 || cfg->bt_max_acl_conn > BTDM_CONTROLLER_BR_EDR_MAX_ACL_CONN_LIMIT))
            || ((cfg->mode & ESP_BT_MODE_CLASSIC_BT) && (cfg->bt_max_sync_conn > BTDM_CONTROLLER_BR_EDR_MAX_SYNC_CONN_LIMIT))) {
@@ -1556,12 +1553,6 @@ esp_bt_controller_status_t esp_bt_controller_get_status(void)
    return btdm_controller_status;
 }

-uint8_t* esp_bt_get_mac(void)
-{
-    return own_bda;
-}
-
-
 /* extra functions */
 esp_err_t esp_ble_tx_power_set(esp_ble_power_type_t power_type, esp_power_level_t power_level)
 {
--- a/components/bt/controller/esp32c3/bt.c
+++ b/components/bt/controller/esp32c3/bt.c
@@ -139,7 +139,6 @@ typedef struct {
 } btdm_dram_available_region_t;

 typedef void (* osi_intr_handler)(void);
-static uint8_t own_bda[6];

 /* OSI function */
 struct osi_funcs_t {
@@ -975,8 +974,6 @@ esp_err_t esp_bt_controller_init(esp_bt_controller_config_t *cfg)
        return ESP_ERR_INVALID_ARG;
    }

-    read_mac_wrapper(own_bda);
-
    ESP_LOGI(BTDM_LOG_TAG, "BT controller compile version [%s]", btdm_controller_get_compile_version());

    // init low-power control resources
@@ -1331,11 +1328,6 @@ esp_bt_controller_status_t esp_bt_controller_get_status(void)
    return btdm_controller_status;
 }

-uint8_t* esp_bt_get_mac(void)
-{
-    return own_bda;
-}
-
 /* extra functions */
 esp_err_t esp_ble_tx_power_set(esp_ble_power_type_t power_type, esp_power_level_t power_level)
 {
--- a/components/bt/controller/esp32s3/bt.c
+++ b/components/bt/controller/esp32s3/bt.c
@@ -111,8 +111,6 @@ typedef struct {
 } btdm_queue_item_t;
 #endif

-static uint8_t own_bda[6];
-
 /* OSI function */
 struct osi_funcs_t {
    uint32_t _magic;
@@ -950,8 +948,6 @@ esp_err_t esp_bt_controller_init(esp_bt_controller_config_t *cfg)
        }
    }

-    read_mac_wrapper(own_bda);
-
    ESP_LOGI(BTDM_LOG_TAG, "BT controller compile version [%s]", btdm_controller_get_compile_version());

 #if CONFIG_SPIRAM_USE_MALLOC
@@ -1168,11 +1164,6 @@ esp_bt_controller_status_t esp_bt_controller_get_status(void)
    return btdm_controller_status;
 }

-uint8_t* esp_bt_get_mac(void)
-{
-    return own_bda;
-}
-
 /* extra functions */
 esp_err_t esp_ble_tx_power_set(esp_ble_power_type_t power_type, esp_power_level_t power_level)
 {
--- a/components/bt/controller/lib
+++ b/components/bt/controller/lib
--- a/components/bt/host/bluedroid/stack/btm/btm_sec.c
+++ b/components/bt/host/bluedroid/stack/btm/btm_sec.c
@@ -36,7 +36,6 @@
 #include "osi/fixed_queue.h"
 #include "osi/alarm.h"
 #include "stack/btm_ble_api.h"
-#include "esp_bt.h"

 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE)
 /* needed for sprintf() */
@@ -2631,15 +2630,6 @@ void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
        return;
    }

-    /* Check if peer device's and our BD_ADDR is same or not. It
-       should be different to avoid 'Impersonation in the Pin Pairing
-       Protocol' (CVE-2020-26555) vulnerability. */
-    if (memcmp(bda, esp_bt_get_mac(), sizeof (BD_ADDR)) == 0) {
-        BTM_TRACE_ERROR ("Security Manager: connect request from device with same BD_ADDR\n");
-        btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
-        return;
-    }
-
    /* Security guys wants us not to allow connection from not paired devices */

    /* Check if connection is allowed for only paired devices */
--- a/components/bt/host/bluedroid/stack/l2cap/l2c_utils.c
+++ b/components/bt/host/bluedroid/stack/l2cap/l2c_utils.c
@@ -58,6 +58,17 @@ tL2C_LCB *l2cu_allocate_lcb (BD_ADDR p_bd_addr, BOOLEAN is_bonding, tBT_TRANSPOR
    if(p_lcb != NULL) {
        list_ret = true;
    }
+
+#if (CLASSIC_BT_INCLUDED == TRUE)
+    /* Check if peer device's and our BD_ADDR is same or not. It
+       should be different to avoid 'Impersonation in the Pin Pairing
+       Protocol' (CVE-2020-26555) vulnerability. */
+    if (memcmp((uint8_t *)p_bd_addr, (uint8_t *)&controller_get_interface()->get_address()->address, sizeof (BD_ADDR)) == 0) {
+        L2CAP_TRACE_ERROR ("%s connection rejected due to same BD ADDR", __func__);
+        return (NULL);
+    }
+#endif
+
    if(p_lcb == NULL && list_length(l2cb.p_lcb_pool) < MAX_L2CAP_LINKS) {
        p_lcb = (tL2C_LCB *)osi_malloc(sizeof(tL2C_LCB));
 	    if (p_lcb) {