diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index a6f21f8c2f984b42607c5f13de5c2eeed245c0ea..e41bbe28a36e5afaead2fb549af8b1f807d3845f 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -7603,7 +7603,12 @@ void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent) if (key->type == SMP_LTK) ev.key.master = 1; - memcpy(ev.key.val, key->val, sizeof(key->val)); + /* Make sure we copy only the significant bytes based on the + * encryption key size, and set the rest of the value to zeroes. + */ + memcpy(ev.key.val, key->val, sizeof(key->enc_size)); + memset(ev.key.val + key->enc_size, 0, + sizeof(ev.key.val) - key->enc_size); mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL); } diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index 3921cba056d3100ca9341757d16221657628a68c..4bfaa3d3ed289c338766dd34df8561521c0200d6 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c @@ -1271,7 +1271,14 @@ static void smp_distribute_keys(struct smp_chan *smp) __le16 ediv; __le64 rand; - get_random_bytes(enc.ltk, sizeof(enc.ltk)); + /* Make sure we generate only the significant amount of + * bytes based on the encryption key size, and set the rest + * of the value to zeroes. + */ + get_random_bytes(enc.ltk, smp->enc_key_size); + memset(enc.ltk + smp->enc_key_size, 0, + sizeof(enc.ltk) - smp->enc_key_size); + get_random_bytes(&ediv, sizeof(ediv)); get_random_bytes(&rand, sizeof(rand));