commit 1afc2a1ab6612dcc3f26db7ca1afba9cff359f1c
author Johan Hedberg <johan.hedberg@intel.com> Wed Sep 10 17:37:44 2014 -0700
committer Marcel Holtmann <marcel@holtmann.org> Thu Sep 11 02:45:24 2014 +0200
tree 732c2a96faeefeb35a72e89c0b1ee3fe8f3ece47
parent 24bd0bd94e0947e257c5cd6a85b0e337d953e79c

Bluetooth: Fix SMP security level when we have no IO capabilities

When the local IO capability is NoInputNoOutput any attempt to convert
the remote authentication requirement to a target security level is
futile. This patch makes sure that we set the target security level at
most to MEDIUM if the local IO capability is NoInputNoOutput.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

net/bluetooth/smp.c

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index be8371b..a08b077 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -959,7 +959,11 @@
 	memcpy(&smp->preq[1], req, sizeof(*req));
 	skb_pull(skb, sizeof(*req));
 
-	sec_level = authreq_to_seclevel(auth);
+	if (conn->hcon->io_capability == 0x03)
+		sec_level = BT_SECURITY_MEDIUM;
+	else
+		sec_level = authreq_to_seclevel(auth);
+
 	if (sec_level > conn->hcon->pending_sec_level)
 		conn->hcon->pending_sec_level = sec_level;
 
@@ -1165,7 +1169,11 @@
 
 	auth = rp->auth_req & AUTH_REQ_MASK;
 
-	sec_level = authreq_to_seclevel(auth);
+	if (hcon->io_capability == 0x03)
+		sec_level = BT_SECURITY_MEDIUM;
+	else
+		sec_level = authreq_to_seclevel(auth);
+
 	if (smp_sufficient_security(hcon, sec_level))
 		return 0;