#
5bdaf549 |
| 28-Sep-2019 |
plunky <plunky@NetBSD.org> |
When encrypted connections are configured, verify that the encryption key length has a minimum size when the adaptor supports that.
This addresses the 'Key Negotiation of Bluetooth' attack, CVE-2019
When encrypted connections are configured, verify that the encryption key length has a minimum size when the adaptor supports that.
This addresses the 'Key Negotiation of Bluetooth' attack, CVE-2019-9506
https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/
show more ...
|
#
8ff2796d |
| 21-Aug-2018 |
plunky <plunky@NetBSD.org> |
Result of audit to check that mbuf length is checked before m_copydata() and that any data supposedly copied out is valid before use.
prompted by maxv@, I have checked every usage of m_copydata() an
Result of audit to check that mbuf length is checked before m_copydata() and that any data supposedly copied out is valid before use.
prompted by maxv@, I have checked every usage of m_copydata() and made the following corrections
hci_event.c: hci_event_command_compl() check that the packet does contain enough data for there to be a status code before noting possible failures.
hci_event_num_compl_pkts() check that the packet does contain data to cover the stated number of handle/num pairs
l2cap_signal.c: l2cap_recv_signal() just ignore packets with not enough data rather than trying to reject them (may not have cmd.ident)
l2cap_recv_command_rej() check we have a valid reason and/or data before use
show more ...
|
#
0ac64c9f |
| 28-Nov-2015 |
plunky <plunky@NetBSD.org> |
add version and extended feature flags defined in 4.2 specification, add cache for page 2 of extended features and return this in the SIOCGBTFEAT ioctl (no change in size)
|
#
4d78d6ca |
| 27-Jul-2011 |
plunky <plunky@NetBSD.org> |
cleanup some DIAGNOSTIC and KASSERT code
- remove #ifdef DIAGNOSTIC, so that we won't act differently
- handle the cases where a Bluetooth adapter sends invalid packet data (I've not seen this,
cleanup some DIAGNOSTIC and KASSERT code
- remove #ifdef DIAGNOSTIC, so that we won't act differently
- handle the cases where a Bluetooth adapter sends invalid packet data (I've not seen this, but it is not impossible)
- use KASSERT for actual impossible situations (to catch bad future development)
show more ...
|
#
2c6dc8c0 |
| 22-Nov-2010 |
plunky <plunky@NetBSD.org> |
upon device initialisation, query and cache the device features, and cache the maximum ACL/SCO packet buffers.
provide an additional SIOCGBTFEAT ioctl to retrieve the cached features, and add the ma
upon device initialisation, query and cache the device features, and cache the maximum ACL/SCO packet buffers.
provide an additional SIOCGBTFEAT ioctl to retrieve the cached features, and add the max values to the SIOC?BTINFO results.
(btreq does not change size)
show more ...
|
#
0ae8e53b |
| 12-Sep-2009 |
plunky <plunky@NetBSD.org> |
slight reordering, plus only deal with ACL links
|
#
dab1b7f7 |
| 24-Aug-2009 |
plunky <plunky@NetBSD.org> |
add devices seen in "Extended Inquiry Result" to the cache
|
#
b7dec17f |
| 20-Aug-2009 |
plunky <plunky@NetBSD.org> |
add a per-unit master setting, to control requesting the master role when accepting connections.
|
#
15e29e98 |
| 24-Apr-2008 |
ad <ad@NetBSD.org> |
Merge the socket locking patch:
- Socket layer becomes MP safe. - Unix protocols become MP safe. - Allows protocol processing interrupts to safely block on locks. - Fixes a number of race conditions
Merge the socket locking patch:
- Socket layer becomes MP safe. - Unix protocols become MP safe. - Allows protocol processing interrupts to safely block on locks. - Fixes a number of race conditions.
With much feedback from matt@ and plunky@.
show more ...
|
#
a09c132d |
| 17-Mar-2008 |
plunky <plunky@NetBSD.org> |
move the updating of num_cmd_pkts to its own function, mostly so that pending commands will be output on the device in the order that they were queued.
|
#
0b1dda7d |
| 16-Mar-2008 |
plunky <plunky@NetBSD.org> |
insert new links at the tail of the queue so that if a create_connection command fails to start we can find the relevant link, since it will be the first one with the pending flag set.
|
#
d0e804ff |
| 06-Mar-2008 |
plunky <plunky@NetBSD.org> |
a "Create Connection" command can sometimes fail to start for whatever reason and the command_status event returns failure but we get no indication of which connection failed (for instance in the cas
a "Create Connection" command can sometimes fail to start for whatever reason and the command_status event returns failure but we get no indication of which connection failed (for instance in the case where we tried to open too many connections all at once)
So, keep a flag on the link to indicate pending status until the command_status event is returned to help us decide which should be failed.
show more ...
|
#
7acc9392 |
| 10-Feb-2008 |
plunky <plunky@NetBSD.org> |
add HCI definitions from the Bluetooth 2.1 spec
|
#
aeab3db8 |
| 30-Dec-2007 |
plunky <plunky@NetBSD.org> |
request and keep a mask of supported commands per unit in order to block unsupported HCI commands sent by unprivileged users reaching the device.
|
#
87914664 |
| 28-Nov-2007 |
plunky <plunky@NetBSD.org> |
[experimentally] report failing commands
this does happen sometimes and I would like to see if it happens more often than I know of.
|
#
736a9db0 |
| 28-Nov-2007 |
plunky <plunky@NetBSD.org> |
Clean up the way that bluetooth drivers attach to the bluetooth stack, to remove the frobbing that drivers must do in the hci_unit structure.
- driver provides a static const interface descriptor -
Clean up the way that bluetooth drivers attach to the bluetooth stack, to remove the frobbing that drivers must do in the hci_unit structure.
- driver provides a static const interface descriptor - hci_unit is allocated by hci_attach() rather than part of softc - statistics are compiled by driver and provided on request - driver provides output methods and is responsible for output queue - stack provides input methods and is responsible for input queue - mutex is used to arbitrate device queue access
show more ...
|
#
0b799668 |
| 10-Nov-2007 |
plunky <plunky@NetBSD.org> |
use more device_t and device_xxx() accessors
make bluetooth stack keep device_t instead of softc pointer as device is not necessarily part of softc, and pass device_t to driver callbacks. hci_devnam
use more device_t and device_xxx() accessors
make bluetooth stack keep device_t instead of softc pointer as device is not necessarily part of softc, and pass device_t to driver callbacks. hci_devname is no longer required.
show more ...
|
#
a0c60c7e |
| 16-Sep-2007 |
plunky <plunky@NetBSD.org> |
improve memo taking of known bluetooth devices
- centralise creation of new memo into function hci_memo_new(), when a memo exists for that address, just update the timestamp.
- all results of i
improve memo taking of known bluetooth devices
- centralise creation of new memo into function hci_memo_new(), when a memo exists for that address, just update the timestamp.
- all results of inquiry/rssi result are processed; even if no memo can be allocated, we may update a timestamp.
- for new connections, query the clock offset of the remote device, in order that we can use it to facilitate future reconnections
- as a connection is removed, make a memo of the clock offset
show more ...
|
#
9ab5b2f6 |
| 07-Sep-2007 |
plunky <plunky@NetBSD.org> |
add event processing for "Inquiry result with RSSI", and modify the memo contents so that this will fit.
|
#
8e15db75 |
| 19-Jul-2007 |
plunky <plunky@NetBSD.org> |
not necessary to cast to (void *) (from caddr_t removal)
|
#
f5db72e7 |
| 21-Apr-2007 |
plunky <plunky@NetBSD.org> |
Add 'service level' security for L2CAP and RFCOMM connections, following the Linux (BlueZ) API.
- L2CAP or RFCOMM connections can require the baseband radio link mode be any of: authenticat
Add 'service level' security for L2CAP and RFCOMM connections, following the Linux (BlueZ) API.
- L2CAP or RFCOMM connections can require the baseband radio link mode be any of: authenticated (devices are paired) encrypted (implies authentication) secured (encryption, plus generate new link key)
- for sockets, the mode is set using setsockopt(2) and the socket connection will be aborted if the mode change fails.
- mode settings will be applied during connection establishment, and for safety, we enter a wait state and will only proceed when the mode settings are successfuly set.
- It is possible to change the mode on already open connections, but not possible to guarantee that data already queued (from either end) will not be delivered. (this is a feature, not a bug)
- bthidev(4) and rfcomm_sppd(1) support "auth", "encrypt" and "secure" options
- btdevctl(8) by default enables "auth" for HIDs, and "encrypt" for keyboards (which are required to support it)
show more ...
|
#
b1afbe8d |
| 05-Apr-2007 |
plunky <plunky@NetBSD.org> |
remove default setting of bluetooth_debug, since 'options BLUETOOTH_DEBUG' causes it to fail
|
#
298d2038 |
| 15-Mar-2007 |
plunky <plunky@NetBSD.org> |
remove C++ style comments
|
#
53524e44 |
| 04-Mar-2007 |
christos <christos@NetBSD.org> |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
#
264c7935 |
| 11-Sep-2006 |
plunky <plunky@NetBSD.org> |
Endian issues:
hci_event.c: - Convert memo->response.clock_offset to host-endian.
hci_ioctl.c: - printf format tweak (size_t)
hci_link.c: - Convert memo->response.clock_offset from host-endian.
Endian issues:
hci_event.c: - Convert memo->response.clock_offset to host-endian.
hci_ioctl.c: - printf format tweak (size_t)
hci_link.c: - Convert memo->response.clock_offset from host-endian. - Tweak a DIAGNOSTIC message.
l2cap_signal.c: - In l2cap_recv_config_req(), rp->scid is little-endian so make sure we convert from host-endian.
from scw@
show more ...
|