Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 1adfae9364f83e5df8aa695394c3262a867e80f0^! / . / bluetooth / 1.0 / default / bluetooth_hci.cc
commit1adfae9364f83e5df8aa695394c3262a867e80f0[log] [tgz]
authorxiaoshun.xu <xiaoshun.xu@mediatek.com>Wed Sep 14 20:39:16 2022 +0800
committerGregory Montoir <gmontoir@google.com>Fri Nov 04 00:55:50 2022 +0000
tree4ead7d529719e49c489e68968371d68622bcb012
parent449d7b0f678ed999f4dfca3308a5ba750a669b7e [diff] [blame]
Fix VTS Fuzz issue

[Description]
Fix is designed to fix VTS Fuzz issue,
1. Add null pointer check in bluetooth_hci.cc and
vendor_interface.cc
2. send should return if open is not done;
3. add lock in callback and set new callback

Bug: 247053367
Test:
1. Build Pass
2. Test VTS fuzz pass

Change-Id: I78da5aeb82f9f78b2b4a156196199183ce0dd8f2

diff --git a/bluetooth/1.0/default/bluetooth_hci.cc b/bluetooth/1.0/default/bluetooth_hci.cc
index a2211f4..869c723 100644
--- a/bluetooth/1.0/default/bluetooth_hci.cc
+++ b/bluetooth/1.0/default/bluetooth_hci.cc

@@ -33,7 +33,8 @@
 
 class BluetoothDeathRecipient : public hidl_death_recipient {
  public:
-  BluetoothDeathRecipient(const sp<IBluetoothHci> hci) : mHci(hci) {}
+  BluetoothDeathRecipient(const sp<IBluetoothHci> hci)
+    : mHci(hci), has_died_(false) {}
 
   virtual void serviceDied(
       uint64_t /*cookie*/,
@@ -51,7 +52,7 @@
 };
 
 BluetoothHci::BluetoothHci()
-    : death_recipient_(new BluetoothDeathRecipient(this)) {}
+    : death_recipient_(new BluetoothDeathRecipient(this)) {bt_enabled = 0;}
 
 Return<void> BluetoothHci::initialize(
     const ::android::sp<IBluetoothHciCallbacks>& cb) {
@@ -61,8 +62,19 @@
     return Void();
   }
 
+  if (bt_enabled == 1) {
+    ALOGE("initialize was called!");
+    return Void();
+  }
+  bt_enabled = 1;
   death_recipient_->setHasDied(false);
   cb->linkToDeath(death_recipient_, 0);
+  unlink_cb_ = [cb](sp<BluetoothDeathRecipient>& death_recipient) {
+    if (death_recipient->getHasDied())
+      ALOGI("Skipping unlink call, service died.");
+    else
+      cb->unlinkToDeath(death_recipient);
+  };
 
   bool rc = VendorInterface::Initialize(
       [cb](bool status) {
@@ -112,6 +124,12 @@
 
 Return<void> BluetoothHci::close() {
   ALOGI("BluetoothHci::close()");
+
+  if (bt_enabled != 1) {
+    ALOGE("should initialize first!");
+    return Void();
+  }
+  bt_enabled = 0;
   unlink_cb_(death_recipient_);
   VendorInterface::Shutdown();
   return Void();
@@ -134,6 +152,11 @@
 
 void BluetoothHci::sendDataToController(const uint8_t type,
                                         const hidl_vec<uint8_t>& data) {
+  if (bt_enabled != 1) {
+    ALOGE("should initialize first!");
+    return;
+  }
+
   VendorInterface::get()->Send(type, data.data(), data.size());
 }