From 1f5ec7304fc4e297f9f9868b5bd9382c2a26c8cc Mon Sep 17 00:00:00 2001 From: Andre Eisenbach Date: Thu, 13 Apr 2017 14:49:36 -0700 Subject: [PATCH] Do not remove device security record on LMP timeout If an LMP timeout is encountered in the middle of authentication, the link key is removed from the controller (but not from NVRAM). This can result in a follow up connction triggering a LINK_KEY_MISSING reply, which in turn can cause a remote device to initiate pairing which will then finally remove the link key stored in NVRAM as well. This change prevents the link key from being removed from the Bluetooth controller in case of a timeout during link authentication. Bug: 36798442 Test: manual Change-Id: Ic89a16b45756e3d40b2e374c645c8f245f6ce3fc --- bta/dm/bta_dm_act.cc | 21 +++++++++++++-------- btif/src/btif_dm.cc | 5 +---- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/bta/dm/bta_dm_act.cc b/bta/dm/bta_dm_act.cc index 9509ae680..1d6bb0643 100644 --- a/bta/dm/bta_dm_act.cc +++ b/bta/dm/bta_dm_act.cc @@ -384,9 +384,10 @@ static void bta_dm_sys_hw_cback(tBTA_SYS_HW_EVT status) { bta_dm_cb.is_bta_dm_active = false; } else if (status == BTA_SYS_HW_ON_EVT) { /* FIXME: We should not unregister as the SYS shall invoke this callback on - * a H/W error. - * We need to revisit when this platform has more than one BLuetooth H/W chip - */ + * a H/W error. + * We need to revisit when this platform has more than one BLuetooth H/W + * chip + */ // bta_sys_hw_unregister( BTA_SYS_HW_BLUETOOTH); /* save security callback */ @@ -2606,7 +2607,11 @@ static uint8_t bta_dm_authentication_complete_cback( if (bta_dm_cb.p_sec_cback) bta_dm_cb.p_sec_cback(BTA_DM_AUTH_CMPL_EVT, &sec_event); - bta_dm_remove_sec_dev_entry(bd_addr); + if (result != HCI_ERR_LMP_RESPONSE_TIMEOUT && + result != HCI_ERR_PAGE_TIMEOUT && + result != HCI_ERR_CONN_FAILED_ESTABLISHMENT) { + bta_dm_remove_sec_dev_entry(bd_addr); + } } return BTM_SUCCESS; @@ -2654,7 +2659,7 @@ static uint8_t bta_dm_sp_cback(tBTM_SP_EVT event, tBTM_SP_EVT_DATA* p_data) { sec_event.cfm_req.loc_io_caps = p_data->cfm_req.loc_io_caps; sec_event.cfm_req.rmt_io_caps = p_data->cfm_req.rmt_io_caps; -/* continue to next case */ + /* continue to next case */ /* Passkey entry mode, mobile device with output capability is very unlikely to receive key request, so skip this event */ /*case BTM_SP_KEY_REQ_EVT: */ @@ -4492,10 +4497,10 @@ static void bta_dm_gatt_disc_result(tBTA_GATT_ID service_id) { tBTA_DM_SEARCH result; /* - * This logic will not work for gatt case. We are checking against the + * This logic will not work for gatt case. We are checking against the * bluetooth profiles here - * just copy the GATTID in raw data field and send it across. - */ + * just copy the GATTID in raw data field and send it across. + */ if (bta_dm_search_cb.ble_raw_used + sizeof(tBTA_GATT_ID) < bta_dm_search_cb.ble_raw_size) { diff --git a/btif/src/btif_dm.cc b/btif/src/btif_dm.cc index cfe17b206..e428bd155 100644 --- a/btif/src/btif_dm.cc +++ b/btif/src/btif_dm.cc @@ -1148,6 +1148,7 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) { // Map the HCI fail reason to bt status switch (p_auth_cmpl->fail_reason) { case HCI_ERR_PAGE_TIMEOUT: + case HCI_ERR_LMP_RESPONSE_TIMEOUT: if (interop_match_addr(INTEROP_AUTO_RETRY_PAIRING, &bd_addr) && pairing_cb.timeout_retries) { BTIF_TRACE_WARNING("%s() - Pairing timeout; retrying (%d) ...", @@ -1166,10 +1167,6 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) { status = BT_STATUS_AUTH_REJECTED; break; - case HCI_ERR_LMP_RESPONSE_TIMEOUT: - status = BT_STATUS_AUTH_FAILURE; - break; - /* map the auth failure codes, so we can retry pairing if necessary */ case HCI_ERR_AUTH_FAILURE: case HCI_ERR_KEY_MISSING: -- 2.11.0