Skip to content

Commit 70fd426

Browse files
pvts-matPlaidCat
pvts-mat
authored and
PlaidCat
committed
Bluetooth: Store advertising handle so it can be re-enabled
jira VULN-158424 cve-pre CVE-2023-53673 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit 7087c4f This stores the advertising handle/instance into hci_conn so it is accessible when re-enabling the advertising once disconnected. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> (cherry picked from commit 7087c4f) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
1 parent a59a9be commit 70fd426

2 files changed

Lines changed: 30 additions & 16 deletions

File tree

include/net/bluetooth/hci_core.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -616,6 +616,7 @@ struct hci_conn {
616616
__u8 init_addr_type;
617617
bdaddr_t resp_addr;
618618
__u8 resp_addr_type;
619+
__u8 adv_instance;
619620
__u16 handle;
620621
__u16 state;
621622
__u8 mode;

net/bluetooth/hci_event.c

Lines changed: 29 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -2334,19 +2334,20 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
23342334

23352335
conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
23362336
if (conn) {
2337-
u8 type = conn->type;
2338-
23392337
mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
23402338
conn->dst_type, status);
23412339

2340+
if (conn->type == LE_LINK) {
2341+
hdev->cur_adv_instance = conn->adv_instance;
2342+
hci_req_reenable_advertising(hdev);
2343+
}
2344+
23422345
/* If the disconnection failed for any reason, the upper layer
23432346
* does not retry to disconnect in current implementation.
23442347
* Hence, we need to do some basic cleanup here and re-enable
23452348
* advertising if necessary.
23462349
*/
23472350
hci_conn_del(conn);
2348-
if (type == LE_LINK)
2349-
hci_req_reenable_advertising(hdev);
23502351
}
23512352

23522353
hci_dev_unlock(hdev);
@@ -2872,7 +2873,6 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
28722873
struct hci_conn_params *params;
28732874
struct hci_conn *conn;
28742875
bool mgmt_connected;
2875-
u8 type;
28762876

28772877
BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
28782878

@@ -2927,10 +2927,7 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
29272927
}
29282928
}
29292929

2930-
type = conn->type;
2931-
29322930
hci_disconn_cfm(conn, ev->reason);
2933-
hci_conn_del(conn);
29342931

29352932
/* The suspend notifier is waiting for all devices to disconnect so
29362933
* clear the bit from pending tasks and inform the wait queue.
@@ -2950,8 +2947,12 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
29502947
* or until a connection is created or until the Advertising
29512948
* is timed out due to Directed Advertising."
29522949
*/
2953-
if (type == LE_LINK)
2950+
if (conn->type == LE_LINK) {
2951+
hdev->cur_adv_instance = conn->adv_instance;
29542952
hci_req_reenable_advertising(hdev);
2953+
}
2954+
2955+
hci_conn_del(conn);
29552956

29562957
unlock:
29572958
hci_dev_unlock(hdev);
@@ -5269,6 +5270,13 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
52695270
conn->handle = handle;
52705271
conn->state = BT_CONFIG;
52715272

5273+
/* Store current advertising instance as connection advertising instance
5274+
* when sotfware rotation is in use so it can be re-enabled when
5275+
* disconnected.
5276+
*/
5277+
if (!ext_adv_capable(hdev))
5278+
conn->adv_instance = hdev->cur_adv_instance;
5279+
52725280
conn->le_conn_interval = interval;
52735281
conn->le_conn_latency = latency;
52745282
conn->le_supv_timeout = supervision_timeout;
@@ -5352,13 +5360,13 @@ static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
53525360
{
53535361
struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;
53545362
struct hci_conn *conn;
5363+
struct adv_info *adv;
53555364

53565365
BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
53575366

5358-
if (ev->status) {
5359-
struct adv_info *adv;
5367+
adv = hci_find_adv_instance(hdev, ev->handle);
53605368

5361-
adv = hci_find_adv_instance(hdev, ev->handle);
5369+
if (ev->status) {
53625370
if (!adv)
53635371
return;
53645372

@@ -5369,9 +5377,15 @@ static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
53695377
return;
53705378
}
53715379

5380+
if (adv)
5381+
adv->enabled = false;
5382+
53725383
conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
53735384
if (conn) {
5374-
struct adv_info *adv_instance;
5385+
/* Store handle in the connection so the correct advertising
5386+
* instance can be re-enabled when disconnected.
5387+
*/
5388+
conn->adv_instance = ev->handle;
53755389

53765390
if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM)
53775391
return;
@@ -5381,9 +5395,8 @@ static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
53815395
return;
53825396
}
53835397

5384-
adv_instance = hci_find_adv_instance(hdev, ev->handle);
5385-
if (adv_instance)
5386-
bacpy(&conn->resp_addr, &adv_instance->random_addr);
5398+
if (adv)
5399+
bacpy(&conn->resp_addr, &adv->random_addr);
53875400
}
53885401
}
53895402

0 commit comments

Comments
 (0)