Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3119836ybi;
        Fri, 5 Jul 2019 02:15:21 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyT25GzGThTzVi6XlT3PWr9a4ed7v0dc5QejQdKhLECjZlWRC5wVfzKhu38OWI5kA3pVyVN
X-Received: by 2002:a17:902:583:: with SMTP id f3mr4051296plf.137.1562318121049;
        Fri, 05 Jul 2019 02:15:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1562318121; cv=none;
        d=google.com; s=arc-20160816;
        b=YBT+9c0NNiN4KOEmM+Ax2qeV2voaTNDiMg73bfadYBLdfAEudhhSZT9KspxwejHD65
         CeSQxE26wDgo8x6rPXx1M4++oushl6yP47B4K7KALg9LwhO41FL+h2jEGWeazr7c5rUV
         eEkRyk7UVxd4l560l+msww7L9upUr/BWzsW6325N3CjTBUQr1ZouP+BFORqzd4WBsyOM
         +yFi8nJ9RglrVGcxSvmnnDhzIRzT7feK/NQkgo9CcBompxb7KAS8/wM/2+0dW9Zr8oET
         t7H8h4eUZJnis3Xql7BINEijylOeEInSkseMiy12ZOx7z59ZvRQ378V4K4RIwglY5bn8
         TwrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=sRNXJW3DzFD6ypBMksXKAsmnFfaqMpPS2E8zTgsbknA=;
        b=bh4rfC7p9vkyasKI/8dl14I+Igaux4Y/IjCxf26VsQChS/m8SeLpk2BSW6tUJnlTW3
         j7yG23499l0HCoNMPcXNIQIZFR9JvefefP9AIIaFrH6d+dg0Am1h7ud865qy+rcVRdNF
         opp7LEzCaQka65AvNtb2DSI3mWzLVw3hD/QitZRudJOg2v6BuffImzMOROkSTfxRtJsM
         JuySf1lNYtj4h9gZu6q3SR8g2HuO6ZFWLE3TelzhwD/Ls7QL78/ArqywP7vTLJf2lTvc
         OXLsYewVKeodN5FxTXLtIy30gAe5k1cmnn9WJHK091GT+NoyuwUWc5GU0V13Wk7K5lM6
         1haA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@silvair-com.20150623.gappssmtp.com header.s=20150623 header.b=fP4cwTMj;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i8si2621649plb.423.2019.07.05.02.14.52;
        Fri, 05 Jul 2019 02:15:21 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@silvair-com.20150623.gappssmtp.com header.s=20150623 header.b=fP4cwTMj;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728222AbfGEJOa (ORCPT <rfc822;mathiasrobaert@gmail.com>
        + 99 others); Fri, 5 Jul 2019 05:14:30 -0400
Received: from mail-lj1-f196.google.com ([209.85.208.196]:38532 "EHLO
        mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727565AbfGEJO3 (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Fri, 5 Jul 2019 05:14:29 -0400
Received: by mail-lj1-f196.google.com with SMTP id r9so8567558ljg.5
        for <linux-bluetooth@vger.kernel.org>; Fri, 05 Jul 2019 02:14:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=silvair-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=sRNXJW3DzFD6ypBMksXKAsmnFfaqMpPS2E8zTgsbknA=;
        b=fP4cwTMjin8t0MHV7x/OMlkL8soqDO5DdrH5vU59eP1YzW6N7zyZy1IjdCEQoQ6f6f
         QmAcUmQ2r57/wLOL5+dn/Gs25SOsecfQh+ykKFu8PuhY0OtnKdBlGtBdr9McTBu4daxs
         4LtM38SDl/uWjw26lCMEFy/epaSjWta6O0SySKOHXMR94Eq1jjJTDksXg0Wi64bAM/pR
         EVQdxhgE5Hd5Tbu1GYUcIZ5rmnBmtg1eer0kaUcWacv2A5doBQg/QgWZ69h3nOiUyovg
         6oC+8AwVLF6WT4QnmbXKvT184/5uV1Z3ViFzewBmOBNdjGsYT98gNNVoJzgjx9sXLT9A
         RaZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=sRNXJW3DzFD6ypBMksXKAsmnFfaqMpPS2E8zTgsbknA=;
        b=AAZy/6oDCa9qdYPIdAHQwVQwzeHV1SlrlRE6fxtAwqx/gh6ZDuENoGWvA7hyZ2S/Z7
         U/iYzA5QEgU7Az1Pafo3abTjgJFNnWGJfWDlv7vTg74gEs6abLfCqTdJ3wG4g6h8Ia1L
         KVXuXjiXM04JCirh/ki2KbKW8KM3SDSC+lYSJNLI2myVafDY+ujyuPka7nXxkA74kaUK
         5u/YbID6+nArAVhB0J87JtYDnEIlrZY48jyuZWGBL6z41AdjkjE0rbsCcFl0XvaLf90H
         PJiEgD0KWYLW5Blzrjnbl9bwySAQMZfiwsWumAtJbq39KCBT+8TDutZ3rqdEvSAHRuh0
         07tA==
X-Gm-Message-State: APjAAAURcZCpkR5uMgW0gtqG28uIuWOGKaT+EPg5uRDtiiErTj9Z0s7K
        91xbMpOZKe8jzDP23nPBci71fRVvXY8=
X-Received: by 2002:a2e:96d5:: with SMTP id d21mr1604690ljj.170.1562318066656;
        Fri, 05 Jul 2019 02:14:26 -0700 (PDT)
Received: from kynes.internet.domowy ([217.153.94.18])
        by smtp.gmail.com with ESMTPSA id e13sm1671106ljg.102.2019.07.05.02.14.25
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 05 Jul 2019 02:14:26 -0700 (PDT)
From:   =?UTF-8?q?Micha=C5=82=20Lowas-Rzechonek?= 
        <michal.lowas-rzechonek@silvair.com>
To:     linux-bluetooth@vger.kernel.org
Cc:     =?UTF-8?q?Micha=C5=82=20=27Khorne=27=20Lowas-Rzechonek?= 
        <michal@rzechonek.net>
Subject: [PATCH BlueZ] mesh: Check address range passed to ImportRemoteNode
Date:   Fri,  5 Jul 2019 11:14:17 +0200
Message-Id: <20190705091417.28866-1-michal.lowas-rzechonek@silvair.com>
X-Mailer: git-send-email 2.22.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

From: Michał 'Khorne' Lowas-Rzechonek <michal@rzechonek.net>

This patch disallows importing device key for:
 - non-unicast addresses
 - unicast addresses overlapping with local node address range
---
 doc/mesh-api.txt |  8 ++++++++
 mesh/keyring.c   |  9 +++++++++
 mesh/manager.c   | 13 +++++++++++++
 3 files changed, 30 insertions(+)

diff --git a/doc/mesh-api.txt b/doc/mesh-api.txt
index f2ba164a9..4fa2f9690 100644
--- a/doc/mesh-api.txt
+++ b/doc/mesh-api.txt
@@ -609,9 +609,13 @@ Methods:
 
 		This call affects the local bluetooth-meshd key database only.
 
+		It is an error to call this with address range overlapping
+		with local element addresses.
+
 		PossibleErrors:
 			org.bluez.mesh.Error.Failed
 			org.bluez.mesh.Error.InvalidArguments
+			org.bluez.mesh.Error.NotAuthorized
 
 	void DeleteRemoteNode(uint16 primary, uint8 count)
 
@@ -626,8 +630,12 @@ Methods:
 
 		This call affects the local bluetooth-meshd key database only.
 
+		It is an error to call this with address range overlapping
+		with local element addresses.
+
 		PossibleErrors:
 			org.bluez.mesh.Error.InvalidArguments
+			org.bluez.mesh.Error.NotAuthorized
 
 Properties:
 	dict Features [read-only]
diff --git a/mesh/keyring.c b/mesh/keyring.c
index 4c6d2986d..be17fb8a5 100644
--- a/mesh/keyring.c
+++ b/mesh/keyring.c
@@ -131,6 +131,9 @@ bool keyring_put_remote_dev_key(struct mesh_node *node, uint16_t unicast,
 	if (!node)
 		return false;
 
+	if (!IS_UNICAST(unicast) || !IS_UNICAST(unicast + count - 1))
+		return false;
+
 	node_path = node_path_get(node);
 
 	if (strlen(node_path) + strlen(dev_key_dir) + 1 + 4 >= PATH_MAX)
@@ -221,6 +224,9 @@ bool keyring_get_remote_dev_key(struct mesh_node *node, uint16_t unicast,
 	if (!node)
 		return false;
 
+	if (!IS_UNICAST(unicast))
+		return false;
+
 	node_path = node_path_get(node);
 	snprintf(key_file, PATH_MAX, "%s%s/%4.4x", node_path, dev_key_dir,
 								unicast);
@@ -283,6 +289,9 @@ bool keyring_del_remote_dev_key(struct mesh_node *node, uint16_t unicast,
 	if (!node)
 		return false;
 
+	if (!IS_UNICAST(unicast) || !IS_UNICAST(unicast + count - 1))
+		return false;
+
 	node_path = node_path_get(node);
 	for (i = 0; i < count; i++) {
 		snprintf(key_file, PATH_MAX, "%s%s/%4.4x", node_path,
diff --git a/mesh/manager.c b/mesh/manager.c
index ca3562512..d3c4b2e21 100644
--- a/mesh/manager.c
+++ b/mesh/manager.c
@@ -31,6 +31,7 @@
 #include "mesh/node.h"
 #include "mesh/keyring.h"
 #include "mesh/manager.h"
+#include "mesh/net.h"
 
 static struct l_dbus_message *add_node_call(struct l_dbus *dbus,
 						struct l_dbus_message *msg,
@@ -60,6 +61,7 @@ static struct l_dbus_message *import_node_call(struct l_dbus *dbus,
 						void *user_data)
 {
 	struct mesh_node *node = user_data;
+	struct mesh_net *net = node_get_net(node);
 	struct l_dbus_message_iter iter_key;
 	uint16_t primary;
 	uint8_t num_ele;
@@ -75,6 +77,11 @@ static struct l_dbus_message *import_node_call(struct l_dbus *dbus,
 		return dbus_error(msg, MESH_ERROR_INVALID_ARGS,
 							"Bad device key");
 
+	if (mesh_net_is_local_address(net, primary) ||
+			mesh_net_is_local_address(net, primary + num_ele - 1))
+		return dbus_error(msg, MESH_ERROR_NOT_AUTHORIZED,
+					"Cannot overwrite local device key");
+
 	if (!keyring_put_remote_dev_key(node, primary, num_ele, key))
 		return dbus_error(msg, MESH_ERROR_FAILED, NULL);
 
@@ -86,12 +93,18 @@ static struct l_dbus_message *delete_node_call(struct l_dbus *dbus,
 						void *user_data)
 {
 	struct mesh_node *node = user_data;
+	struct mesh_net *net = node_get_net(node);
 	uint16_t primary;
 	uint8_t num_ele;
 
 	if (!l_dbus_message_get_arguments(msg, "qy", &primary, &num_ele))
 		return dbus_error(msg, MESH_ERROR_INVALID_ARGS, NULL);
 
+	if (mesh_net_is_local_address(net, primary) ||
+			mesh_net_is_local_address(net, primary + num_ele - 1))
+		return dbus_error(msg, MESH_ERROR_NOT_AUTHORIZED,
+					"Cannot remove local device key");
+
 	keyring_del_remote_dev_key(node, primary, num_ele);
 
 	return l_dbus_message_new_method_return(msg);
-- 
2.22.0