[nrf fromtree] Bluetooth: Mesh: Make net msg cache netkey aware

omkar3141 · nordicjm · commit 120840695811 · 2025-11-18T09:54:28.000Z
Improve the network message cache to be aware of network keys to prevent false duplicate detection across different subnets. This ensures that messages with the same source address and sequence number but from different network keys are not incorrectly identified as duplicates, as it can happen in certain cases. See ES-26350. Signed-off-by: Omkar Kulkarni <omkar.kulkarni@nordicsemi.no> (cherry picked from commit 22e3798) Signed-off-by: Pavel Vasilyev <pavel.vasilyev@nordicsemi.no>
diff --git a/subsys/bluetooth/mesh/net.c b/subsys/bluetooth/mesh/net.c
@@ -82,7 +82,8 @@ struct iv_val {
 
 static struct {
 	uint32_t src : 15, /* MSb of source is always 0 */
-	      seq : 17;
+		 seq : 17;
+	uint16_t net_idx;
 } msg_cache[CONFIG_BT_MESH_MSG_CACHE_SIZE];
 static uint16_t msg_cache_next;
 
@@ -145,20 +146,22 @@ static bool check_dup(struct net_buf_simple *data)
 	return false;
 }
 
-static bool msg_cache_match(struct net_buf_simple *pdu)
+static bool msg_cache_match(struct net_buf_simple *pdu, uint16_t net_idx)
 {
 	uint16_t i;
 
 	for (i = msg_cache_next; i > 0U;) {
 		if (msg_cache[--i].src == SRC(pdu->data) &&
-		    msg_cache[i].seq == (SEQ(pdu->data) & BIT_MASK(17))) {
+		    msg_cache[i].seq == (SEQ(pdu->data) & BIT_MASK(17)) &&
+		    msg_cache[i].net_idx == net_idx) {
 			return true;
 		}
 	}
 
 	for (i = ARRAY_SIZE(msg_cache); i > msg_cache_next;) {
 		if (msg_cache[--i].src == SRC(pdu->data) &&
-		    msg_cache[i].seq == (SEQ(pdu->data) & BIT_MASK(17))) {
+		    msg_cache[i].seq == (SEQ(pdu->data) & BIT_MASK(17)) &&
+		    msg_cache[i].net_idx == net_idx) {
 			return true;
 		}
 	}
@@ -171,6 +174,7 @@ static void msg_cache_add(struct bt_mesh_net_rx *rx)
 	msg_cache_next %= ARRAY_SIZE(msg_cache);
 	msg_cache[msg_cache_next].src = rx->ctx.addr;
 	msg_cache[msg_cache_next].seq = rx->seq;
+	msg_cache[msg_cache_next].net_idx = rx->sub->net_idx;
 	msg_cache_next++;
 }
 
@@ -653,15 +657,14 @@ static bool net_decrypt(struct bt_mesh_net_rx *rx, struct net_buf_simple *in,
 		return false;
 	}
 
-	if (rx->net_if == BT_MESH_NET_IF_ADV && msg_cache_match(out)) {
+	if (rx->net_if == BT_MESH_NET_IF_ADV && msg_cache_match(out, rx->sub->net_idx)) {
 		LOG_DBG("Duplicate found in Network Message Cache");
 		return false;
 	}
 
 	LOG_DBG("src 0x%04x", rx->ctx.addr);
 
-	return bt_mesh_net_decrypt(&cred->enc, out, BT_MESH_NET_IVI_RX(rx),
-				   proxy) == 0;
+	return bt_mesh_net_decrypt(&cred->enc, out, BT_MESH_NET_IVI_RX(rx), proxy) == 0;
 }
 
 /* Relaying from advertising to the advertising bearer should only happen

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,8 @@ struct iv_val {`
`82`	`82`
`83`	`83`	`static struct {`
`84`	`84`	`uint32_t src : 15, /* MSb of source is always 0 */`
`85`		`- seq : 17;`
	`85`	`+ seq : 17;`
	`86`	`+ uint16_t net_idx;`
`86`	`87`	`} msg_cache[CONFIG_BT_MESH_MSG_CACHE_SIZE];`
`87`	`88`	`static uint16_t msg_cache_next;`
`88`	`89`
`@@ -145,20 +146,22 @@ static bool check_dup(struct net_buf_simple *data)`
`145`	`146`	`return false;`
`146`	`147`	`}`
`147`	`148`
`148`		`-static bool msg_cache_match(struct net_buf_simple *pdu)`
	`149`	`+static bool msg_cache_match(struct net_buf_simple *pdu, uint16_t net_idx)`
`149`	`150`	`{`
`150`	`151`	`uint16_t i;`
`151`	`152`
`152`	`153`	`for (i = msg_cache_next; i > 0U;) {`
`153`	`154`	`if (msg_cache[--i].src == SRC(pdu->data) &&`
`154`		`- msg_cache[i].seq == (SEQ(pdu->data) & BIT_MASK(17))) {`
	`155`	`+ msg_cache[i].seq == (SEQ(pdu->data) & BIT_MASK(17)) &&`
	`156`	`+ msg_cache[i].net_idx == net_idx) {`
`155`	`157`	`return true;`
`156`	`158`	`}`
`157`	`159`	`}`
`158`	`160`
`159`	`161`	`for (i = ARRAY_SIZE(msg_cache); i > msg_cache_next;) {`
`160`	`162`	`if (msg_cache[--i].src == SRC(pdu->data) &&`
`161`		`- msg_cache[i].seq == (SEQ(pdu->data) & BIT_MASK(17))) {`
	`163`	`+ msg_cache[i].seq == (SEQ(pdu->data) & BIT_MASK(17)) &&`
	`164`	`+ msg_cache[i].net_idx == net_idx) {`
`162`	`165`	`return true;`
`163`	`166`	`}`
`164`	`167`	`}`
`@@ -171,6 +174,7 @@ static void msg_cache_add(struct bt_mesh_net_rx *rx)`
`171`	`174`	`msg_cache_next %= ARRAY_SIZE(msg_cache);`
`172`	`175`	`msg_cache[msg_cache_next].src = rx->ctx.addr;`
`173`	`176`	`msg_cache[msg_cache_next].seq = rx->seq;`
	`177`	`+ msg_cache[msg_cache_next].net_idx = rx->sub->net_idx;`
`174`	`178`	`msg_cache_next++;`
`175`	`179`	`}`
`176`	`180`
`@@ -653,15 +657,14 @@ static bool net_decrypt(struct bt_mesh_net_rx rx, struct net_buf_simple in,`
`653`	`657`	`return false;`
`654`	`658`	`}`
`655`	`659`
`656`		`- if (rx->net_if == BT_MESH_NET_IF_ADV && msg_cache_match(out)) {`
	`660`	`+ if (rx->net_if == BT_MESH_NET_IF_ADV && msg_cache_match(out, rx->sub->net_idx)) {`
`657`	`661`	`LOG_DBG("Duplicate found in Network Message Cache");`
`658`	`662`	`return false;`
`659`	`663`	`}`
`660`	`664`
`661`	`665`	`LOG_DBG("src 0x%04x", rx->ctx.addr);`
`662`	`666`
`663`		`- return bt_mesh_net_decrypt(&cred->enc, out, BT_MESH_NET_IVI_RX(rx),`
`664`		`- proxy) == 0;`
	`667`	`+ return bt_mesh_net_decrypt(&cred->enc, out, BT_MESH_NET_IVI_RX(rx), proxy) == 0;`
`665`	`668`	`}`
`666`	`669`
`667`	`670`	`/* Relaying from advertising to the advertising bearer should only happen`