Brian May <br...@linuxpenguins.xyz> writes: > Looking at commit > https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7d9718cfcc11eaa9d8059e721301cdc00ef8c82e, > it looks like maybe we should be patching the attio_connected_cb() > function instead. But this function doesn't appear to have any way to > return an error indicating it failed, which seems to be required by the > patch. It might be sufficient just to ignore the error and return > without immediately if device is not bonded. Not sure how much I can > trust this however. > > My gut feeling to fix this we should backport version 5.43-2+deb9u2 from > stretch to Jessie. Yes, this might break stuff, but I suspect just the > very basic idea of this security fix - rejecting unbonded connections - > could break stuff also.
Thinking this through some more, I struggle to get bluetooth working correctly on the latest Debian, let alone testing an older release. I am not sure if this is due to hardware or software issues. Not to mention the fact I don't have a lot of bluetooth HID devices to test. I am sure I had a bluetooth keyboard somewhere... Is anybody here in a better position then I am to test this? If not, this might be another reason to backport the Stretch version... Regardless, I suspect something like the following patch might be a good starting point. Although I am not entirely convinced you can reject a connection from the attio_connected_cb function like this... === cut ==== diff --git a/profiles/input/hog.c b/profiles/input/hog.c index b9aba657a..971fda822 100644 --- a/profiles/input/hog.c +++ b/profiles/input/hog.c @@ -654,6 +654,11 @@ static void attio_connected_cb(GAttrib *attrib, gpointer user_data) DBG("HoG connected"); + /* HOGP 1.0 Section 6.1 requires bonding */ + if (!device_is_bonded(hogdev, btd_device_get_bdaddr_type(hogdev))) + DBG("HoG not bonded"); + return; + hogdev->attrib = g_attrib_ref(attrib); if (hogdev->reports == NULL) { === cut ==== -- Brian May <b...@debian.org>