Since u32 range size is not a multiple of 1,000,000, current passkey generation logic is biased.
Fixed this by adding a routine that selects passkey again if passkey is 4,200,000,000 or more.
Signed-off-by: Mincheol Son <encrypted.def@xxxxxxxxx>
---
net/bluetooth/smp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index c659c464f7ca..26ed83e0db34 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -922,7 +922,9 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
/* Generate random passkey. */
if (smp->method == CFM_PASSKEY) {
memset(smp->tk, 0, sizeof(smp->tk));
- get_random_bytes(&passkey, sizeof(passkey));
+ do {
+ get_random_bytes(&passkey, sizeof(passkey));
+ } while (passkey >= (u32)4200000000);
passkey %= 1000000;
put_unaligned_le32(passkey, smp->tk);
BT_DBG("PassKey: %d", passkey);
--
2.25.1
