Fix authentication bypass bug in SMP

It is possible for a malicious peer to bypass SMP authentication by
claiming to have OOB data and proceeding with pairing, exploiting the
fact that the Android stack sets the OOB randomizer to zero if no local
OOB data is available.

Drop the connection if a peer claims it has OOB data but no local OOB
data has been stored.

Bug: 251514171
Test: m com.android.btservices
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:83e55e8a316e319c82f727763ab791bfc24404dd)
Merged-In: Ib87574bd455bcc673a7e58283fd22342cf924cfd
Change-Id: Ib87574bd455bcc673a7e58283fd22342cf924cfd

1 files changed, 10 insertions, 0 deletions

diff --git a/system/stack/smp/smp_act.cc b/system/stack/smp/smp_act.cc
index 1f1351b8d1..c1b60c2b52 100644
--- a/system/stack/smp/smp_act.cc
+++ b/system/stack/smp/smp_act.cc
@@ -1947,6 +1947,16 @@ void smp_process_secure_connection_oob_data(tSMP_CB* p_cb,
     p_cb->local_random = {0};
   }
 
+  if (p_cb->peer_oob_flag == SMP_OOB_PRESENT && !p_sc_oob_data->loc_oob_data.present) {
+    SMP_TRACE_WARNING(
+        "local OOB data is not present but peer claims to have received it; dropping "
+        "connection", __func__);
+    tSMP_INT_DATA smp_int_data{};
+    smp_int_data.status = SMP_OOB_FAIL;
+    smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
+    return;
+  }
+
   if (!p_sc_oob_data->peer_oob_data.present) {
     SMP_TRACE_EVENT("%s: peer OOB data is absent", __func__);
     p_cb->peer_random = {0};