> -----原始邮件----- > 发件人: mart1n@xxxxxxxxxx > 发送时间: 2021-05-16 20:08:34 (星期日) > 收件人: linux-bluetooth@xxxxxxxxxxxxxxx > 抄送: > 主题: some confusions about the design of some bluetooth function > > Hello, > Here're my confusions about some bluetooth function. > 1.Why does kernel handle the HCI_COMPLETE_EVENT packet firstly and check whether the command packet is the last sent packet after that? > As the following figure shows, kernel check whether the packet is the last sent packet after handle the packet. Why not revert the work in hci_cc_xx() if the completed command is not equal to the last one or just move the judgement before kernel do the work in hci_cc_xx()? > Here follows the process figure: > +-------------+ +------------------+ +----------------------+ > | hci_rx_work | --> | hci_event_packet | --> | hci_cmd_complete_evt | > +-------------+ +------------------+ +----------------------+ > | > | switch case > v > +----------------------+ > | hci_cc_xx | > +----------------------+ > | > | command completed > v > +----------------------+ the completed command != the last one +-------------------+ > +- | hci_req_cmd_complete | <--------------------------------------- | hci_sent_cmd_data | <+ > | +----------------------+ +-------------------+ | > | ^ | | > | | | else | > | | v | > | | +-------------------+ | > | +-------------------------------------------------------------- | xxx | | > | +-------------------+ | > | | > +-------------------------------------------------------------------------------------------+ > Otherwise, malicious controllers may send malformed HCI_COMPLETE_EVENT packet to make kernel change states even the kernel does not mean to. > > > 2.Why does kernel only check some status flag in few function of a state?I conclude flags kernel need to verify in the responding to most packets of INIT state.For example. kernel need to verify the HCI_SETUP and HCI_CONFIG flag before handling HCI_COMPLETE_EVENT packet of HCI_OP_READ_LOCAL_VERSION opcode, while it does not do any check for the HCI_COMPLETE_EVENT of HCI_OP_READ_LOCAL_FEATURES.There is more examples in the attachment. > > 3.Kernel does not verify the packet orderly. For example, in bredr_init() stage of INIT state, kernel should process packet like following: HCI_OP_READ_LOCAL_FEATURES -> HCI_OP_READ_LOCAL_VERSION -> HCI_OP_READ_BD_ADDR. But it does not check whether HCI_OP_READ_LOCAL_FEATURES packet is responded before it processes the responding of HCI_OP_READ_LOCAL_VERSION packet in hci_cmd_complete_evt() function. > > Above are my puzzles after reading the source code of linux bluetooth subsystem.I think some of them may lead to security issues. > I'd appreciate a lot if you can solve my confusions. Thanks a lot! > > Best regards. Sorry! I just forgot the attachment. : )
Attachment:
INIT_Packets.md
Description: Binary data
