Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2330570pxk;
        Sat, 19 Sep 2020 23:18:15 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwR9V6jQRBOftxi7q+35ZHLfUhb+413HdjcP7vKsXmeNADZxV322151uOdEfFRKnMPh1F1n
X-Received: by 2002:a17:906:bcfc:: with SMTP id op28mr38878205ejb.248.1600582695405;
        Sat, 19 Sep 2020 23:18:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1600582695; cv=none;
        d=google.com; s=arc-20160816;
        b=UWgSr0r5M+cKrVL/yMOztTYn+6NRNDrCTuBQ9oTm/eS79UL6tiEAvcc+0JhHX4Up+L
         9nePoAag/OpaUf/m1VawwsCH/BuxgwB/bD+Dw7ZsbgNfiWkUHm/wsjAif8PGhzsdiyTs
         1oZMiWe8nYMpo61pa29G2lOX+/Mc4zGTO2JYoFIFWyf5wvKTpwnH3e8g+HT+QGuhXpqa
         MW03XtqKVC7xkK3+7ieP3X30V8guhMkF4aYShqJDjWC14x6oBCfcvC+OixjGm7MNbZdd
         GkbwLK16gKPhAG5wJnH8afjgUJYePHVAZOgXMi5I+hOSY82XbniGE8yhaJB2h5wzk30b
         q5KA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:to:references:message-id
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version;
        bh=6O9hNh9SpzEy9Jfwu3mY9C1LL5ueND7xT8OZ1Jm6sMI=;
        b=RucDdCHigb552kUicEXYcAz7gFMNNwZtCpRkUhHuXO/y+CO6Aojncx52mAf1mi+Y/H
         hKFLsbPaLtg14i9ytqTxOb7o03JKigBIEqGgaV+RlQ1bE4CCXnAbIDianaaGzDytZlnz
         oqNwBg644DXS13o+w5hrbWJs8lRzoLuuX+Em9XWtY/HBMa3xAFYiOX9oFWI+f0R3p/Yl
         P9s+eOx1U69T71LJ1yPbWF2ApUaIOYwQ6zBvhzuhCT/kaXIHqg9nuHm+r721IGda194k
         aGPsvzkGjAFpaQqTl6/6CtUYiudxeeG8LKj8sS1jwh+pnddnwTYzoOGzT3dG40Qku1mG
         YYRg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y25si6043157ejb.231.2020.09.19.23.17.51;
        Sat, 19 Sep 2020 23:18:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726247AbgITGRP convert rfc822-to-8bit (ORCPT
        <rfc822;sheikh.muhammad.mustafa@gmail.com> + 99 others);
        Sun, 20 Sep 2020 02:17:15 -0400
Received: from coyote.holtmann.net ([212.227.132.17]:38841 "EHLO
        mail.holtmann.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726192AbgITGRP (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Sun, 20 Sep 2020 02:17:15 -0400
Received: from marcel-macbook.fritz.box (p4fefc7f4.dip0.t-ipconnect.de [79.239.199.244])
        by mail.holtmann.org (Postfix) with ESMTPSA id 820EECECA3;
        Sun, 20 Sep 2020 08:16:32 +0200 (CEST)
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Subject: Re: [PATCH] Bluetooth: Fix the vulnerable issue on enc key size
From:   Marcel Holtmann <marcel@holtmann.org>
In-Reply-To: <20200918110223.GA10235@laptop-alex>
Date:   Sun, 20 Sep 2020 08:09:34 +0200
Cc:     Johan Hedberg <johan.hedberg@gmail.com>,
        linux-bluetooth <linux-bluetooth@vger.kernel.org>,
        open list <linux-kernel@vger.kernel.org>,
        Max Chou <max.chou@realtek.com>
Content-Transfer-Encoding: 8BIT
Message-Id: <2E345B0D-5412-4DC1-9E22-452939DD7D2B@holtmann.org>
References: <20200918110223.GA10235@laptop-alex>
To:     Alex Lu <alex_lu@realsil.com.cn>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi Alex,

> When someone attacks the service provider, it creates connection,
> authenticates. Then it requests key size of one byte and it identifies
> the key with brute force methods.
> 
> After l2cap info req/resp exchange is complete. the attacker sends l2cap
> connect with specific PSM.
> 
> In above procedure, there is no chance for the service provider to check
> the encryption key size before l2cap_connect(). Because the state of
> l2cap chan in conn->chan_l is BT_LISTEN, there is no l2cap chan with the
> state of BT_CONNECT or BT_CONNECT2.
> 
> So service provider should check the encryption key size in
> l2cap_connect()
> 
> Signed-off-by: Alex Lu <alex_lu@realsil.com.cn>
> ---
> net/bluetooth/l2cap_core.c | 7 +++++++
> 1 file changed, 7 insertions(+)
> 
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index ade83e224567..63df961d402d 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -4150,6 +4150,13 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
> 
> 	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
> 		if (l2cap_chan_check_security(chan, false)) {
> +			if (!l2cap_check_enc_key_size(conn->hcon)) {
> +				l2cap_state_change(chan, BT_DISCONN);
> +				__set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
> +				result = L2CAP_CR_SEC_BLOCK;
> +				status = L2CAP_CS_NO_INFO;
> +				goto response;
> +			}
> 			if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
> 				l2cap_state_change(chan, BT_CONNECT2);
> 				result = L2CAP_CR_PEND;

I am not following what you are trying to fix here. Can you show this with a btmon trace from an attacking device?

Regards

Marcel