Bluetooth: Fix checking for valid address type values in mgmt commands

This patch adds checks for valid address type values passed to mgmt
commands. If an invalid address type is encountered the code will return
a proper invalid params response.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index bc04c44..7dd2de1 100644 (file)
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1526,6 +1526,14 @@ static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
        BT_DBG("%s debug_keys %u key_count %u", hdev->name, cp->debug_keys,
               key_count);
 
+       for (i = 0; i < key_count; i++) {
+               struct mgmt_link_key_info *key = &cp->keys[i];
+
+               if (key->addr.type != BDADDR_BREDR)
+                       return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
+                                         MGMT_STATUS_INVALID_PARAMS);
+       }
+
        hci_dev_lock(hdev);
 
        hci_link_keys_clear(hdev);
@@ -1573,12 +1581,17 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
        struct hci_conn *conn;
        int err;
 
-       hci_dev_lock(hdev);
-
        memset(&rp, 0, sizeof(rp));
        bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
        rp.addr.type = cp->addr.type;
 
+       if (!bdaddr_type_is_valid(cp->addr.type))
+               return cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
+                                   MGMT_STATUS_INVALID_PARAMS,
+                                   &rp, sizeof(rp));
+
+       hci_dev_lock(hdev);
+
        if (!hdev_is_powered(hdev)) {
                err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
                                   MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
@@ -1643,6 +1656,10 @@ static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
 
        BT_DBG("");
 
+       if (!bdaddr_type_is_valid(cp->addr.type))
+               return cmd_status(sk, hdev->id, MGMT_OP_DISCONNECT,
+                                 MGMT_STATUS_INVALID_PARAMS);
+
        hci_dev_lock(hdev);
 
        if (!test_bit(HCI_UP, &hdev->flags)) {
@@ -1947,6 +1964,11 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
        bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
        rp.addr.type = cp->addr.type;
 
+       if (!bdaddr_type_is_valid(cp->addr.type))
+               return cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
+                                   MGMT_STATUS_INVALID_PARAMS,
+                                   &rp, sizeof(rp));
+
        hci_dev_lock(hdev);
 
        if (!hdev_is_powered(hdev)) {
@@ -2564,6 +2586,10 @@ static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
 
        BT_DBG("%s", hdev->name);
 
+       if (!bdaddr_type_is_valid(cp->addr.type))
+               return cmd_status(sk, hdev->id, MGMT_OP_BLOCK_DEVICE,
+                                 MGMT_STATUS_INVALID_PARAMS);
+
        hci_dev_lock(hdev);
 
        err = hci_blacklist_add(hdev, &cp->addr.bdaddr, cp->addr.type);
@@ -2589,6 +2615,10 @@ static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
 
        BT_DBG("%s", hdev->name);
 
+       if (!bdaddr_type_is_valid(cp->addr.type))
+               return cmd_status(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE,
+                                 MGMT_STATUS_INVALID_PARAMS);
+
        hci_dev_lock(hdev);
 
        err = hci_blacklist_del(hdev, &cp->addr.bdaddr, cp->addr.type);
@@ -2707,6 +2737,8 @@ static bool ltk_is_valid(struct mgmt_ltk_info *key)
                return false;
        if (key->master != 0x00 && key->master != 0x01)
                return false;
+       if (!bdaddr_type_is_le(key->addr.type))
+               return false;
        return true;
 }