Bluetooth: Fix checking for proper key->master value in Load LTKs
authorJohan Hedberg <johan.hedberg@intel.com>
Sun, 20 Jan 2013 12:27:15 +0000 (14:27 +0200)
committerGustavo Padovan <gustavo.padovan@collabora.co.uk>
Wed, 23 Jan 2013 03:54:09 +0000 (01:54 -0200)
The allowed values for the key->master parameter in the Load LTKs
command are 0x00 and 0x01. If there is a key in the list with some other
value the command should fail with a proper invalid params response.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
net/bluetooth/mgmt.c

index a050eee61623d2dfdd301f910c1e129e6a93d877..c7ec47ce94e580758127219f07c22249ad932577 100644 (file)
@@ -2721,6 +2721,15 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
 
        BT_DBG("%s key_count %u", hdev->name, key_count);
 
+       for (i = 0; i < key_count; i++) {
+               struct mgmt_ltk_info *key = &cp->keys[i];
+
+               if (key->master != 0x00 && key->master != 0x01)
+                       return cmd_status(sk, hdev->id,
+                                         MGMT_OP_LOAD_LONG_TERM_KEYS,
+                                         MGMT_STATUS_INVALID_PARAMS);
+       }
+
        hci_dev_lock(hdev);
 
        hci_smp_ltks_clear(hdev);