Resolve incomplete fix for SMP authentication bypass

Brian Delwiche · aoleary · commit b464ffae3391 · 2025-01-13T14:09:50.000Z
Fix for b/251514170 was landed correctly on main, but in older branches SMP contains identical functions smp_proc_init and smp_proc_rand, both of which exhibit the problem, and only the former of which was patched. This allows the problem to still appear on branches from sc-dev to udc-dev. Add the logic to smp_proc_rand. Bug: 251514170 Test: m com.android.btservices Tag: #security Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9b6737a08f5718b6400ffe78b494cb5f0779e56e) Merged-In: I51e99c18a322a29632a6cac09ddb2b07bea482fc Change-Id: I51e99c18a322a29632a6cac09ddb2b07bea482fc
diff --git a/system/stack/smp/smp_act.cc b/system/stack/smp/smp_act.cc
@@ -697,6 +697,17 @@ void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
     return;
   }
 
+  if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
+        (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
+      !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {
+    // in legacy pairing, the peer should send its rand after
+    // we send our confirm
+    tSMP_INT_DATA smp_int_data{};
+    smp_int_data.status = SMP_INVALID_PARAMETERS;
+    smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
+    return;
+  }
+
   /* save the SRand for comparison */
   STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
 }
