• csonsino's avatar
    Bluetooth: validate BLE connection interval updates · c49a8682
    csonsino authored
    Problem: The Linux Bluetooth stack yields complete control over the BLE
    connection interval to the remote device.
    The Linux Bluetooth stack provides access to the BLE connection interval
    min and max values through /sys/kernel/debug/bluetooth/hci0/
    conn_min_interval and /sys/kernel/debug/bluetooth/hci0/conn_max_interval.
    These values are used for initial BLE connections, but the remote device
    has the ability to request a connection parameter update. In the event
    that the remote side requests to change the connection interval, the Linux
    kernel currently only validates that the desired value is within the
    acceptable range in the Bluetooth specification (6 - 3200, corresponding to
    7.5ms - 4000ms). There is currently no validation that the desired value
    requested by the remote device is within the min/max limits specified in
    the conn_min_interval/conn_max_interval configurations. This essentially
    leads to Linux yielding complete control over the connection interval to
    the remote device.
    The proposed patch adds a verification step to the connection parameter
    update mechanism, ensuring that the desired value is within the min/max
    bounds of the current connection. If the desired value is outside of the
    current connection min/max values, then the connection parameter update
    request is rejected and the negative response is returned to the remote
    device. Recall that the initial connection is established using the local
    conn_min_interval/conn_max_interval values, so this allows the Linux
    administrator to retain control over the BLE connection interval.
    The one downside that I see is that the current default Linux values for
    conn_min_interval and conn_max_interval typically correspond to 30ms and
    50ms respectively. If this change were accepted, then it is feasible that
    some devices would no longer be able to negotiate to their desired
    connection interval values. This might be remedied by setting the default
    Linux conn_min_interval and conn_max_interval values to the widest
    supported range (6 - 3200 / 7.5ms - 4000ms). This could lead to the same
    behavior as the current implementation, where the remote device could
    request to change the connection interval value to any value that is
    permitted by the Bluetooth specification, and Linux would accept the
    desired value.
    Signed-off-by: default avatarCarey Sonsino <csonsino@gmail.com>
    Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>