From 4002d4d329a8db62793505dac18947518333b324 Mon Sep 17 00:00:00 2001 From: Szymon Janc Date: Mon, 14 Jul 2014 14:29:57 +0200 Subject: [PATCH] android/gatt: Disallow signed write on BR/EDR connection As per Core Specification 4.1 Part G p. 4.9.2 signed write without reponse shall not be used on BR/EDR. --- android/gatt.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/android/gatt.c b/android/gatt.c index ad99b2791..986f435a1 100644 --- a/android/gatt.c +++ b/android/gatt.c @@ -2799,6 +2799,21 @@ static void read_char_cb(guint8 status, const guint8 *pdu, guint16 len, free(data); } +static int get_cid(struct gatt_device *dev) +{ + GIOChannel *io; + int cid; + + io = g_attrib_get_channel(dev->attrib); + + if (!bt_io_get(io, NULL, BT_IO_OPT_CID, &cid, BT_IO_OPT_INVALID)) { + error("gatt: Failed to get CID"); + return -1; + } + + return cid; +} + static int get_sec_level(struct gatt_device *dev) { GIOChannel *io; @@ -3059,6 +3074,12 @@ static void handle_client_write_characteristic(const void *buf, uint16_t len) write_char_cb, cb_data); break; case GATT_WRITE_TYPE_SIGNED: + if (get_cid(conn->device) != ATT_CID) { + error("gatt: Cannot write signed on BR/EDR bearer"); + status = HAL_STATUS_FAILED; + goto failed; + } + if (get_sec_level(conn->device) != BT_SECURITY_LOW) { error("gatt: Cannot write signed on encrypted link"); status = HAL_STATUS_FAILED; @@ -5698,6 +5719,12 @@ static void write_signed_cmd_request(const uint8_t *cmd, uint16_t cmd_len, uint8_t csrk[16]; uint32_t sign_cnt; + if (get_cid(dev) != ATT_CID) { + error("gatt: Remote tries write signed on BR/EDR bearer"); + connection_cleanup(dev); + return; + } + if (get_sec_level(dev) != BT_SECURITY_LOW) { error("gatt: Remote tries write signed on encrypted link"); connection_cleanup(dev); -- 2.47.3