Bluetooth: smp: Fix biased random passkey generation

Since u32 range size is not a multiple of 1,000,000, current passkey generation logic is biased. Fixed this by adding a routine that selects passkey again if passkey is 4,200,000,000 or more. Signed-off-by: Mincheol Son <encrypted.def@gmail.com>
0day-ci · Dec 7, 2020 · 80c9c18 · 80c9c18
1 parent 02be5f1
commit 80c9c18
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
@@ -922,7 +922,9 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
 	/* Generate random passkey. */
 	if (smp->method == CFM_PASSKEY) {
 		memset(smp->tk, 0, sizeof(smp->tk));
-		get_random_bytes(&passkey, sizeof(passkey));
+		do {
+			get_random_bytes(&passkey, sizeof(passkey));
+		} while (passkey >= (u32)4200000000);
 		passkey %= 1000000;
 		put_unaligned_le32(passkey, smp->tk);
 		BT_DBG("PassKey: %d", passkey);