mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-01 22:54:01 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
csonsino 427d80d8a4 Bluetooth: validate BLE connection interval updates 
[ Upstream commit c49a8682fc ]

Problem: The Linux Bluetooth stack yields complete control over the BLE
connection interval to the remote device.

The Linux Bluetooth stack provides access to the BLE connection interval
min and max values through /sys/kernel/debug/bluetooth/hci0/
conn_min_interval and /sys/kernel/debug/bluetooth/hci0/conn_max_interval.
These values are used for initial BLE connections, but the remote device
has the ability to request a connection parameter update. In the event
that the remote side requests to change the connection interval, the Linux
kernel currently only validates that the desired value is within the
acceptable range in the Bluetooth specification (6 - 3200, corresponding to
7.5ms - 4000ms). There is currently no validation that the desired value
requested by the remote device is within the min/max limits specified in
the conn_min_interval/conn_max_interval configurations. This essentially
leads to Linux yielding complete control over the connection interval to
the remote device.

The proposed patch adds a verification step to the connection parameter
update mechanism, ensuring that the desired value is within the min/max
bounds of the current connection. If the desired value is outside of the
current connection min/max values, then the connection parameter update
request is rejected and the negative response is returned to the remote
device. Recall that the initial connection is established using the local
conn_min_interval/conn_max_interval values, so this allows the Linux
administrator to retain control over the BLE connection interval.

The one downside that I see is that the current default Linux values for
conn_min_interval and conn_max_interval typically correspond to 30ms and
50ms respectively. If this change were accepted, then it is feasible that
some devices would no longer be able to negotiate to their desired
connection interval values. This might be remedied by setting the default
Linux conn_min_interval and conn_max_interval values to the widest
supported range (6 - 3200 / 7.5ms - 4000ms). This could lead to the same
behavior as the current implementation, where the remote device could
request to change the connection interval value to any value that is
permitted by the Bluetooth specification, and Linux would accept the
desired value.

Signed-off-by: Carey Sonsino <csonsino@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-08-04 09:33:24 +02:00
..
6lowpan 6lowpan: iphc: reset mac_header after decompress to fix panic 2018-10-03 17:01:42 -07:00
9p net/9p: include trans_common.h to fix missing prototype warning. 2019-07-10 09:55:38 +02:00
802
8021q vlan: disable SIOCSHWTSTAMP in container 2019-05-16 19:43:46 +02:00
appletalk appletalk: Fix use-after-free in atalk_proc_exit 2019-04-20 09:07:53 +02:00
atm net: atm: Fix potential Spectre v1 vulnerabilities 2019-04-27 09:34:40 +02:00
ax25 ax25: fix inconsistent lock state in ax25_destroy_timer 2019-06-22 08:17:21 +02:00
batman-adv batman-adv: fix for leaked TVLV handler. 2019-08-04 09:33:15 +02:00
bluetooth Bluetooth: validate BLE connection interval updates 2019-08-04 09:33:24 +02:00
bridge bridge: Fix error path for kobject_init_and_add() 2019-05-16 19:43:45 +02:00
caif caif: reduce stack size with KASAN 2019-05-08 07:19:07 +02:00
can can: purge socket error queue on sock destruct 2019-07-10 09:55:33 +02:00
ceph libceph: wait for latest osdmap in ceph_monc_blacklist_add() 2019-03-27 14:13:02 +09:00
core net: check before dereferencing netdev_ops during busy poll 2019-07-10 09:55:42 +02:00
dcb net: dcb: For wild-card lookups, use priority -1, not 0 2018-09-19 22:47:15 +02:00
dccp dccp: do not use ipv6 header for ipv4 flow 2019-04-03 06:24:14 +02:00
decnet dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock 2018-02-25 11:05:44 +01:00
dns_resolver KEYS: DNS: fix parsing multiple options 2018-07-22 14:27:39 +02:00
dsa net: dsa: slave: Don't propagate flag changes on down slave interfaces 2019-02-12 19:45:00 +01:00
ethernet net: introduce device min_header_len 2017-02-18 15:11:43 +01:00
hsr net/hsr: fix possible crash in add_timer() 2019-03-19 13:14:08 +01:00
ieee802154 ipv6: remove dependency of nf_defrag_ipv6 on ipv6 module 2019-05-02 09:32:06 +02:00
ipv4 bpf: udp: Avoid calling reuseport's bpf_prog from udp_gro 2019-07-10 09:55:42 +02:00
ipv6 netfilter: ipv6: nf_defrag: accept duplicate fragments again 2019-07-21 09:05:53 +02:00
ipx ipx: call ipxitf_put() in ioctl error path 2017-05-25 15:44:41 +02:00
irda irda: Only insert new objects into the global database via setsockopt 2018-09-15 09:43:01 +02:00
iucv net/iucv: Free memory obtained by kzalloc 2018-03-31 18:11:34 +02:00
kcm kcm: switch order of device registration to fix a crash 2019-04-17 08:36:44 +02:00
key af_key: fix leaks in key_pol_get_resp and dump_sp. 2019-08-04 09:33:16 +02:00
l2tp l2tp: fix infoleak in l2tp_ip6_recvmsg() 2019-03-19 13:14:08 +01:00
l3mdev
lapb lapb: fixed leak of control-blocks. 2019-06-22 08:17:22 +02:00
llc llc: fix skb leak in llc_build_and_send_ui_pkt() 2019-06-11 12:22:33 +02:00
mac80211 mac80211: only warn once on chanctx_conf being NULL 2019-07-21 09:05:56 +02:00
mac802154 net: mac802154: tx: expand tailroom if necessary 2018-09-09 20:01:19 +02:00
mpls mpls, nospec: Sanitize array index in mpls_label_ok() 2018-03-11 16:21:34 +01:00
ncsi
netfilter ipvs: do not schedule icmp errors from tunnels 2019-05-16 19:43:42 +02:00
netlabel netlabel: fix out-of-bounds memory accesses 2019-03-13 14:04:53 -07:00
netlink netlink: Don't shift on 64 for ngroups 2018-08-09 12:17:59 +02:00
netrom netrom: switch to sock timer API 2019-02-06 17:33:27 +01:00
nfc net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails 2019-03-13 14:04:53 -07:00
openvswitch ipv6: remove dependency of nf_defrag_ipv6 on ipv6 module 2019-05-02 09:32:06 +02:00
packet af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET 2019-07-10 09:55:40 +02:00
phonet phonet: fix building with clang 2019-03-23 13:19:44 +01:00
qrtr net: qrtr: Broadcast messages only from control port 2018-08-24 13:12:36 +02:00
rds net: rds: fix memory leak in rds_ib_flush_mr_pool 2019-06-11 12:22:46 +02:00
rfkill rfkill: gpio: fix memory leak in probe error path 2018-05-16 10:08:43 +02:00
rose net: rose: fix a possible stack overflow 2019-04-03 06:24:14 +02:00
rxrpc rxrpc: Fix client call queueing, waiting for channel 2019-03-19 13:14:10 +01:00
sched net: netem: fix skb length BUG_ON in __skb_to_sgvec 2019-03-13 14:04:53 -07:00
sctp sctp: change to hold sk after auth shkey is created successfully 2019-07-10 09:55:40 +02:00
strparser strparser: Fix incorrect strp->need_bytes value. 2018-04-29 11:32:02 +02:00
sunrpc net :sunrpc :clnt :Fix xps refcount imbalance on the error path 2019-07-21 09:05:57 +02:00
switchdev
tipc tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb 2019-07-10 09:55:42 +02:00
unix missing barriers in some of unix_sock ->addr and ->path accesses 2019-03-19 13:14:10 +01:00
vmw_vsock vsock/virtio: Initialize core virtio vsock before registering the driver 2019-05-25 18:26:44 +02:00
wimax
wireless cfg80211: fix memory leak of wiphy device name 2019-07-10 09:55:35 +02:00
x25 net/x25: fix a race in x25_bind() 2019-03-19 13:14:09 +01:00
xfrm ipsec: select crypto ciphers for xfrm_algo 2019-08-04 09:33:20 +02:00
compat.c sock: Make sock->sk_stamp thread-safe 2019-01-09 16:16:41 +01:00
Kconfig
Makefile
socket.c net: socket: fix a missing-check bug 2018-11-10 07:42:58 -08:00
sysctl_net.c