Resolve incomplete fix for SMP authentication bypass

Fix for b/251514170 was landed correctly on main, but in older branches
SMP contains identical functions smp_proc_init and smp_proc_rand, both
of which exhibit the problem, and only the former of which was patched.
This allows the problem to still appear on branches from sc-dev to
udc-dev.

Add the logic to smp_proc_rand.

Bug: 251514170
Test: m com.android.btservices
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9b6737a08f5718b6400ffe78b494cb5f0779e56e)
Merged-In: I51e99c18a322a29632a6cac09ddb2b07bea482fc
Change-Id: I51e99c18a322a29632a6cac09ddb2b07bea482fc

1 files changed, 11 insertions, 0 deletions

diff --git a/system/stack/smp/smp_act.cc b/system/stack/smp/smp_act.cc
index d6021bbecd..1f1351b8d1 100644
--- a/system/stack/smp/smp_act.cc
+++ b/system/stack/smp/smp_act.cc
@@ -697,6 +697,17 @@ void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
     return;
   }
 
+  if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
+        (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
+      !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {
+    // in legacy pairing, the peer should send its rand after
+    // we send our confirm
+    tSMP_INT_DATA smp_int_data{};
+    smp_int_data.status = SMP_INVALID_PARAMETERS;
+    smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
+    return;
+  }
+
   /* save the SRand for comparison */
   STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
 }