Home | History | Annotate | Download | only in netbt
History log of /src/sys/netbt/hci_event.c
RevisionDateAuthorComments
 1.26  28-Sep-2019  plunky When encrypted connections are configured, verify that the encryption
key length has a minimum size when the adaptor supports that.

This addresses the 'Key Negotiation of Bluetooth' attack, CVE-2019-9506

https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/
 1.25  21-Aug-2018  plunky branches: 1.25.4;

Result of audit to check that mbuf length is checked before m_copydata()
and that any data supposedly copied out is valid before use.

prompted by maxv@, I have checked every usage of m_copydata() and made
the following corrections

hci_event.c:
hci_event_command_compl()
check that the packet does contain enough data for there to
be a status code before noting possible failures.

hci_event_num_compl_pkts()
check that the packet does contain data to cover the
stated number of handle/num pairs

l2cap_signal.c:
l2cap_recv_signal()
just ignore packets with not enough data rather than
trying to reject them (may not have cmd.ident)

l2cap_recv_command_rej()
check we have a valid reason and/or data before use
 1.24  28-Nov-2015  plunky branches: 1.24.10; 1.24.16; 1.24.18;
add version and extended feature flags defined in 4.2 specification,
add cache for page 2 of extended features and return this in
the SIOCGBTFEAT ioctl (no change in size)
 1.23  27-Jul-2011  plunky branches: 1.23.12; 1.23.28; 1.23.30; 1.23.32; 1.23.36;

cleanup some DIAGNOSTIC and KASSERT code

- remove #ifdef DIAGNOSTIC, so that we won't act
differently

- handle the cases where a Bluetooth adapter
sends invalid packet data (I've not seen this,
but it is not impossible)

- use KASSERT for actual impossible situations
(to catch bad future development)
 1.22  22-Nov-2010  plunky upon device initialisation, query and cache the device features,
and cache the maximum ACL/SCO packet buffers.

provide an additional SIOCGBTFEAT ioctl to retrieve the cached
features, and add the max values to the SIOC?BTINFO results.

(btreq does not change size)
 1.21  12-Sep-2009  plunky branches: 1.21.4;
slight reordering, plus only deal with ACL links
 1.20  24-Aug-2009  plunky add devices seen in "Extended Inquiry Result" to the cache
 1.19  20-Aug-2009  plunky add a per-unit master setting, to control requesting the master role
when accepting connections.
 1.18  24-Apr-2008  ad branches: 1.18.2;
Merge the socket locking patch:

- Socket layer becomes MP safe.
- Unix protocols become MP safe.
- Allows protocol processing interrupts to safely block on locks.
- Fixes a number of race conditions.

With much feedback from matt@ and plunky@.
 1.17  17-Mar-2008  plunky branches: 1.17.2;
move the updating of num_cmd_pkts to its own function, mostly so that
pending commands will be output on the device in the order that they
were queued.
 1.16  16-Mar-2008  plunky insert new links at the tail of the queue so that if a create_connection
command fails to start we can find the relevant link, since it will be
the first one with the pending flag set.
 1.15  06-Mar-2008  plunky a "Create Connection" command can sometimes fail to start for whatever
reason and the command_status event returns failure but we get no
indication of which connection failed (for instance in the case where
we tried to open too many connections all at once)

So, keep a flag on the link to indicate pending status until the
command_status event is returned to help us decide which should
be failed.
 1.14  10-Feb-2008  plunky branches: 1.14.2; 1.14.6;
add HCI definitions from the Bluetooth 2.1 spec
 1.13  30-Dec-2007  plunky request and keep a mask of supported commands per unit in order
to block unsupported HCI commands sent by unprivileged users
reaching the device.
 1.12  28-Nov-2007  plunky branches: 1.12.6;
[experimentally] report failing commands

this does happen sometimes and I would like to see if it happens
more often than I know of.
 1.11  28-Nov-2007  plunky Clean up the way that bluetooth drivers attach to the bluetooth stack,
to remove the frobbing that drivers must do in the hci_unit structure.

- driver provides a static const interface descriptor
- hci_unit is allocated by hci_attach() rather than part of softc
- statistics are compiled by driver and provided on request
- driver provides output methods and is responsible for output queue
- stack provides input methods and is responsible for input queue
- mutex is used to arbitrate device queue access
 1.10  10-Nov-2007  plunky use more device_t and device_xxx() accessors

make bluetooth stack keep device_t instead of softc pointer as
device is not necessarily part of softc, and pass device_t to
driver callbacks. hci_devname is no longer required.
 1.9  16-Sep-2007  plunky branches: 1.9.4; 1.9.6;
improve memo taking of known bluetooth devices

- centralise creation of new memo into function
hci_memo_new(), when a memo exists for that address,
just update the timestamp.

- all results of inquiry/rssi result are processed; even
if no memo can be allocated, we may update a timestamp.

- for new connections, query the clock offset of the remote
device, in order that we can use it to facilitate future
reconnections

- as a connection is removed, make a memo of the clock offset
 1.8  07-Sep-2007  plunky add event processing for "Inquiry result with RSSI", and modify the memo
contents so that this will fit.
 1.7  19-Jul-2007  plunky branches: 1.7.4; 1.7.6; 1.7.8;
not necessary to cast to (void *) (from caddr_t removal)
 1.6  21-Apr-2007  plunky branches: 1.6.2;
Add 'service level' security for L2CAP and RFCOMM connections, following
the Linux (BlueZ) API.

- L2CAP or RFCOMM connections can require the baseband radio link
mode be any of:
authenticated (devices are paired)
encrypted (implies authentication)
secured (encryption, plus generate new link key)

- for sockets, the mode is set using setsockopt(2) and the socket
connection will be aborted if the mode change fails.

- mode settings will be applied during connection establishment, and
for safety, we enter a wait state and will only proceed when the mode
settings are successfuly set.

- It is possible to change the mode on already open connections, but
not possible to guarantee that data already queued (from either end)
will not be delivered. (this is a feature, not a bug)

- bthidev(4) and rfcomm_sppd(1) support "auth", "encrypt" and
"secure" options

- btdevctl(8) by default enables "auth" for HIDs, and "encrypt" for
keyboards (which are required to support it)
 1.5  05-Apr-2007  plunky remove default setting of bluetooth_debug, since 'options BLUETOOTH_DEBUG'
causes it to fail
 1.4  15-Mar-2007  plunky remove C++ style comments
 1.3  04-Mar-2007  christos branches: 1.3.2; 1.3.4; 1.3.6;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
 1.2  11-Sep-2006  plunky branches: 1.2.4; 1.2.6; 1.2.10;
Endian issues:

hci_event.c:
- Convert memo->response.clock_offset to host-endian.

hci_ioctl.c:
- printf format tweak (size_t)

hci_link.c:
- Convert memo->response.clock_offset from host-endian.
- Tweak a DIAGNOSTIC message.

l2cap_signal.c:
- In l2cap_recv_config_req(), rp->scid is little-endian so make sure
we convert from host-endian.

from scw@
 1.1  19-Jun-2006  gdamore branches: 1.1.2; 1.1.4; 1.1.6; 1.1.8; 1.1.10; 1.1.12; 1.1.14;
Initial import of bluetooth stack on behalf of Iain Hibbert. (plunky@,
NetBSD Foundation Membership still pending.) This stack was written by
Iain under sponsorship from Itronix Inc.

The stack includes support for rfcomm networking (networking via your
bluetooth enabled cell phone), hid devices (keyboards/mice), and headsets.

Drivers for both PCMCIA and USB bluetooth controllers are included.
 1.1.14.2  09-Sep-2006  rpaulo sync with head
 1.1.14.1  19-Jun-2006  rpaulo file hci_event.c was added on branch rpaulo-netinet-merge-pcb on 2006-09-09 02:58:38 +0000
 1.1.12.1  18-Nov-2006  ad Sync with head.
 1.1.10.1  14-Sep-2006  riz Pull up following revision(s) (requested by plunky in ticket #161):
sys/dev/bluetooth/btdev.h: revision 1.4
distrib/sets/lists/comp/mi: revision 1.922
usr.sbin/postinstall/postinstall: revision 1.25
sys/netbt/hci_unit.c: revision 1.3
sys/netbt/hci_ioctl.c: revision 1.4
usr.sbin/sdpd/profile.c: revision 1.2
usr.sbin/btdevctl/btdevctl.c: revision 1.2
share/man/man4/Makefile: revision 1.405
distrib/sets/lists/man/mi: revision 1.930
distrib/sets/lists/etc/mi: revision 1.176
usr.sbin/sdpd/profile.c: revision 1.3
usr.sbin/btdevctl/btdevctl.c: revision 1.3
etc/MAKEDEV.tmpl: revision 1.62
distrib/sets/lists/base/mi: revision 1.650
usr.sbin/btdevctl/btdevctl.h: revision 1.2
usr.bin/sdpquery/sdpquery.1: revision 1.4
sys/netbt/rfcomm_session.c: revision 1.2
usr.sbin/btdevctl/btdevctl.8: revision 1.3
usr.bin/sdpquery/search.c: revision 1.2
usr.sbin/sdpd/Makefile: revision 1.2
sys/dev/bluetooth/Makefile: revision 1.3
usr.sbin/btdevctl/cfg.c: file removal
sys/netbt/files.netbt: revision 1.4
usr.sbin/btdevctl/sdp.c: revision 1.1
sys/dev/bluetooth/bthidev.c: revision 1.3
etc/bluetooth/Makefile: revision 1.3
sys/dev/pcmcia/files.pcmcia: revision 1.51
sys/dev/bluetooth/bthidev.c: revision 1.4
sys/dev/bluetooth/bthidev.h: revision 1.3
usr.sbin/btdevctl/dev.c: file removal
sys/dev/bluetooth/files.bluetooth: revision 1.10
sys/arch/i386/conf/GENERIC: revision 1.777
share/man/man4/ubt.4: revision 1.6
share/man/man4/bthub.4: revision 1.3
sys/netbt/hci.h: revision 1.5
sys/arch/i386/conf/GENERIC_LAPTOP: revision 1.202
lib/libsdp/sdp.h: revision 1.2
usr.sbin/btdevctl/print.c: revision 1.1
share/man/man4/bthidev.4: revision 1.5
share/man/man4/btdev.4: file removal
usr.sbin/btdevctl/print.c: revision 1.2
sys/arch/i386/conf/GENERIC_LAPTOP: revision 1.205
usr.sbin/btdevctl/Makefile: revision 1.2
sys/dev/usb/files.usb: revision 1.70
sys/netbt/l2cap_signal.c: revision 1.2
sys/netbt/hci_link.c: revision 1.4
sys/dev/bluetooth/bthub.c: revision 1.3
share/man/man4/btsco.4: revision 1.5
sys/netbt/hci_link.c: revision 1.5
share/man/man4/btdev.4: revision 1.4
sys/dev/bluetooth/btkbd.c: revision 1.3
sys/dev/bluetooth/btdev.c: file removal
sys/netbt/hci_event.c: revision 1.2
sys/dev/bluetooth/btsco.h: revision 1.2
etc/mtree/special: revision 1.101
sys/dev/bluetooth/btsco.c: revision 1.3
sys/conf/majors: revision 1.27
usr.sbin/sdpd/hf.c: revision 1.1
sys/dev/bluetooth/btsco.c: revision 1.4
share/man/man5/rc.conf.5: revision 1.107
sys/dev/bluetooth/btdev.c: revision 1.2
etc/rc.d/btdevctl: revision 1.2
usr.sbin/btdevctl/db.c: revision 1.1
etc/rc.d/btdevctl: revision 1.3
etc/bluetooth/btdevctl.conf: revision 1.1
usr.sbin/btdevctl/hid.c: file removal
sys/arch/i386/conf/GENERIC: revision 1.781
sys/dev/bluetooth/btdev.h: revision 1.3
Make btdev default count explicit
Fix typo in variable name
update to bluetooth device attachment:
remove pseudo-device btdev(4) and inherent limitations
add bthub(4) which autoconfigures at bluetooth controllers as they
are enabled. bluetooth devices now attach here.
btdevctl(8) and its cache is updated to handle new semantics
etc/rc.d/btdevctl is updated to configure devices from a list
in /etc/bluetooth/btdevctl.conf
also include service name in dictionary being sent to kernel.
(this is not used just yet, but it might be in the future and it will
be easier if we dont have to provide code to handle its absence)
clarify the CAVEAT section somewhat
Add service discovery support for the Handsfree profile
Replace static 'FreeBSD' string with operating system name gleaned
from uname(3)
Halt the callout on detach
btsco.c:
- sco_getopt(..., SO_SCO_MTU, ...) expects the address of a uint16_t,
not an int. So change sc_mtu's type to uint16_t.
- Try a little harder to ensure btsco_round_blocksize() does not
return zero. Prevents a subsequent panic in audio_init_ringbuffer().
from scw@
Endian issues:
hci_event.c:
- Convert memo->response.clock_offset to host-endian.
hci_ioctl.c:
- printf format tweak (size_t)
hci_link.c:
- Convert memo->response.clock_offset from host-endian.
- Tweak a DIAGNOSTIC message.
l2cap_signal.c:
- In l2cap_recv_config_req(), rp->scid is little-endian so make sure
we convert from host-endian.
from scw@
hci_link.c:
- In hci_link_free(), do not unlink items from a LIST queue within
a LIST_FOREACH() iterator.
rfcomm_session.c:
- In rfcomm_session_recv_mcc_nsc(), do not unlink items from a LIST
queue within a LIST_FOREACH() iterator.
from scw@
guard against a possible situation where the list of l2cap channels is changed
when the bluetooth code is not expecting it to be. During a disconnect, we can
detach the channel that is being disconnected, but its not really safe to detach
any others.
Print explicit 64-bit types using the format macros from int_fmtio.h.
Unbreaks the build for our LP64 ports, where "long long" typically is
not 64 bits.
 1.1.8.2  13-Jul-2006  gdamore Merge from HEAD.
 1.1.8.1  19-Jun-2006  gdamore file hci_event.c was added on branch gdamore-uart on 2006-07-13 17:49:58 +0000
 1.1.6.3  14-Sep-2006  yamt sync with head.
 1.1.6.2  26-Jun-2006  yamt sync with head.
 1.1.6.1  19-Jun-2006  yamt file hci_event.c was added on branch yamt-pdpolicy on 2006-06-26 12:53:57 +0000
 1.1.4.2  22-Jun-2006  chap Complete a sync sys/ with head.
 1.1.4.1  19-Jun-2006  chap file hci_event.c was added on branch chap-midi on 2006-06-22 03:39:50 +0000
 1.1.2.11  24-Mar-2008  yamt sync with head.
 1.1.2.10  17-Mar-2008  yamt sync with head.
 1.1.2.9  11-Feb-2008  yamt sync with head.
 1.1.2.8  21-Jan-2008  yamt sync with head
 1.1.2.7  07-Dec-2007  yamt sync with head
 1.1.2.6  15-Nov-2007  yamt sync with head.
 1.1.2.5  27-Oct-2007  yamt sync with head.
 1.1.2.4  03-Sep-2007  yamt sync with head.
 1.1.2.3  30-Dec-2006  yamt sync with head.
 1.1.2.2  21-Jun-2006  yamt sync with head.
 1.1.2.1  19-Jun-2006  yamt file hci_event.c was added on branch yamt-lazymbuf on 2006-06-21 15:10:51 +0000
 1.2.10.1  03-Sep-2007  wrstuden Sync w/ NetBSD-4-RC_1
 1.2.6.4  07-May-2007  yamt sync with head.
 1.2.6.3  15-Apr-2007  yamt sync with head.
 1.2.6.2  24-Mar-2007  yamt sync with head.
 1.2.6.1  12-Mar-2007  rmind Sync with HEAD.
 1.2.4.1  19-Jul-2007  liamjfoy Pull up following revision(s) (requested by plunky in ticket #744):
sys/netbt/l2cap_lower.c: revision 1.6
sys/dev/bluetooth/btdev.h: revision 1.6
sys/netbt/sco_socket.c: revision 1.9
sys/netbt/rfcomm_upper.c: revision 1.3
sys/netbt/l2cap_socket.c: revision 1.7
sys/netbt/rfcomm_upper.c: revision 1.5
lib/libusbhid/usbhid.h: revision 1.5
sys/netbt/rfcomm_upper.c: revision 1.6
usr.sbin/btdevctl/btdevctl.c: revision 1.4
usr.sbin/btdevctl/btdevctl.h: revision 1.3
usr.sbin/btdevctl/btdevctl.8: revision 1.4
sys/netbt/rfcomm_session.c: revision 1.5
sys/netbt/hci.h: revision 1.10
usr.bin/rfcomm_sppd/rfcomm_sppd.c: revision 1.6
sys/netbt/hci_link.c: revision 1.11
usr.bin/rfcomm_sppd/rfcomm_sppd.c: revision 1.7
usr.bin/rfcomm_sppd/rfcomm_sppd.c: revision 1.8
sys/dev/bluetooth/btsco.c: revision 1.14
sys/netbt/rfcomm_session.c: revision 1.9
usr.sbin/btdevctl/sdp.c: revision 1.2
share/man/man9/bluetooth.9: revision 1.2
usr.sbin/btdevctl/sdp.c: revision 1.3
sys/dev/bluetooth/bthidev.c: revision 1.8
sys/netbt/l2cap.h: revision 1.4
sys/netbt/rfcomm.h: revision 1.3
sys/netbt/l2cap.h: revision 1.5
sys/netbt/l2cap_misc.c: revision 1.3
share/man/man4/bluetooth.4: revision 1.5
lib/libusbhid/usbhid.3: revision 1.11
sys/netbt/bluetooth.h: revision 1.5
share/man/man4/bthidev.4: revision 1.8
sys/netbt/rfcomm_dlc.c: revision 1.3
usr.sbin/btdevctl/print.c: revision 1.8
sys/netbt/rfcomm_socket.c: revision 1.7
sys/netbt/l2cap_signal.c: revision 1.4
sys/netbt/l2cap_signal.c: revision 1.5
sys/netbt/l2cap_signal.c: revision 1.7
sys/netbt/hci_event.c: revision 1.6
usr.bin/rfcomm_sppd/rfcomm_sppd.1: revision 1.5
sys/netbt/l2cap_upper.c: revision 1.3
sys/netbt/l2cap_lower.c: revision 1.2
usr.sbin/btdevctl/db.c: revision 1.3
sys/netbt/l2cap_upper.c: revision 1.6
lib/libusbhid/descr.c: revision 1.5
sys/netbt/l2cap_upper.c: revision 1.7
sys/netbt/l2cap_lower.c: revision 1.4
Add 'service level' security for L2CAP and RFCOMM connections, following
the Linux (BlueZ) API.
- L2CAP or RFCOMM connections can require the baseband radio link
mode be any of:
authenticated (devices are paired)
encrypted (implies authentication)
secured (encryption, plus generate new link key)
- for sockets, the mode is set using setsockopt(2) and the socket
connection will be aborted if the mode change fails.
- mode settings will be applied during connection establishment, and
for safety, we enter a wait state and will only proceed when the mode
settings are successfuly set.
- It is possible to change the mode on already open connections, but
not possible to guarantee that data already queued (from either end)
will not be delivered. (this is a feature, not a bug)
- bthidev(4) and rfcomm_sppd(1) support "auth", "encrypt" and
"secure" options
- btdevctl(8) by default enables "auth" for HIDs, and "encrypt" for
keyboards (which are required to support it)
- ALSO INCLUDES OTHER MINOR FIXES
 1.3.6.1  18-Mar-2007  reinoud First attempt to bring branch in sync with HEAD
 1.3.4.1  11-Jul-2007  mjf Sync with head.
 1.3.2.4  09-Oct-2007  ad Sync with head.
 1.3.2.3  20-Aug-2007  ad Sync with HEAD.
 1.3.2.2  08-Jun-2007  ad Sync with head.
 1.3.2.1  10-Apr-2007  ad Sync with head.
 1.6.2.2  10-Sep-2007  skrll Sync with HEAD.
 1.6.2.1  15-Aug-2007  skrll Sync with HEAD.
 1.7.8.2  19-Jul-2007  plunky not necessary to cast to (void *) (from caddr_t removal)
 1.7.8.1  19-Jul-2007  plunky file hci_event.c was added on branch matt-mips64 on 2007-07-19 20:48:52 +0000
 1.7.6.3  23-Mar-2008  matt sync with HEAD
 1.7.6.2  09-Jan-2008  matt sync with HEAD
 1.7.6.1  06-Nov-2007  matt sync with HEAD
 1.7.4.3  03-Dec-2007  joerg Sync with HEAD.
 1.7.4.2  11-Nov-2007  joerg Sync with HEAD.
 1.7.4.1  02-Oct-2007  joerg Sync with HEAD.
 1.9.6.3  18-Feb-2008  mjf Sync with HEAD.
 1.9.6.2  08-Dec-2007  mjf Sync with HEAD.
 1.9.6.1  19-Nov-2007  mjf Sync with HEAD.
 1.9.4.1  13-Nov-2007  bouyer Sync with HEAD
 1.12.6.1  02-Jan-2008  bouyer Sync with HEAD
 1.14.6.2  02-Jun-2008  mjf Sync with HEAD.
 1.14.6.1  03-Apr-2008  mjf Sync with HEAD.
 1.14.2.1  24-Mar-2008  keiichi sync with head.
 1.17.2.1  18-May-2008  yamt sync with head.
 1.18.2.1  16-Sep-2009  yamt sync with head
 1.21.4.1  05-Mar-2011  rmind sync with head
 1.23.36.1  28-Sep-2019  martin Pull up following revision(s) (requested by plunky in ticket #1709):

sys/netbt/hci_event.c: revision 1.26
sys/netbt/hci.h: revision 1.46

When encrypted connections are configured, verify that the encryption
key length has a minimum size when the adaptor supports that.

This addresses the 'Key Negotiation of Bluetooth' attack, CVE-2019-9506
https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/
 1.23.32.1  28-Sep-2019  martin Pull up following revision(s) (requested by plunky in ticket #1709):

sys/netbt/hci_event.c: revision 1.26
sys/netbt/hci.h: revision 1.46

When encrypted connections are configured, verify that the encryption
key length has a minimum size when the adaptor supports that.

This addresses the 'Key Negotiation of Bluetooth' attack, CVE-2019-9506
https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/
 1.23.30.1  27-Dec-2015  skrll Sync with HEAD (as of 26th Dec)
 1.23.28.1  28-Sep-2019  martin Pull up following revision(s) (requested by plunky in ticket #1709):

sys/netbt/hci_event.c: revision 1.26
sys/netbt/hci.h: revision 1.46

When encrypted connections are configured, verify that the encryption
key length has a minimum size when the adaptor supports that.

This addresses the 'Key Negotiation of Bluetooth' attack, CVE-2019-9506
https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/
 1.23.12.1  03-Dec-2017  jdolecek update from HEAD
 1.24.18.2  13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.24.18.1  10-Jun-2019  christos Sync with HEAD
 1.24.16.1  06-Sep-2018  pgoyette Sync with HEAD

Resolve a couple of conflicts (result of the uimin/uimax changes)
 1.24.10.1  28-Sep-2019  martin Pull up following revision(s) (requested by plunky in ticket #1395):

sys/netbt/hci_event.c: revision 1.26
sys/netbt/hci.h: revision 1.46

When encrypted connections are configured, verify that the encryption
key length has a minimum size when the adaptor supports that.

This addresses the 'Key Negotiation of Bluetooth' attack, CVE-2019-9506
https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/
 1.25.4.1  28-Sep-2019  martin Pull up following revision(s) (requested by plunky in ticket #260):

sys/netbt/hci_event.c: revision 1.26
sys/netbt/hci.h: revision 1.46

When encrypted connections are configured, verify that the encryption
key length has a minimum size when the adaptor supports that.

This addresses the 'Key Negotiation of Bluetooth' attack, CVE-2019-9506
https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/

RSS XML Feed