Fix bluetooth aidl crash [Description] during servicefuzz test, when AIDL has already been closed, then send packet will cause crash [Root Cause] send function doesn't check AIDL mstate and it may use illegal socket fd [Solution] add AIDL state check before send [Test Report] test bluetooth servcefuzz pass Change-Id: Id10c72269a392562798a6e46e9753402db423ee3 Bug: 308904509

commit: 886074d66996022b111252c950768e7b0f8444f9 [log] [tgz]
author: yanggang.yang <yanggang.yang@mediatek.com> Thu Oct 26 17:24:56 2023 +0800
committer: Can Chen <can.chen@mediatek.com> Mon Nov 13 13:39:19 2023 +0800
tree: 33d5ec9b7230e7d98e314b672b158bad28112caf
parent: 0a44da85895541251e90b9c853d9ee27f72f66c7 [diff] [blame]
diff --git a/bluetooth/aidl/default/BluetoothHci.cpp b/bluetooth/aidl/default/BluetoothHci.cpp
index 9862e9e..a247cb0 100644
--- a/bluetooth/aidl/default/BluetoothHci.cpp
+++ b/bluetooth/aidl/default/BluetoothHci.cpp

@@ -320,6 +320,7 @@
   {
     std::lock_guard<std::mutex> guard(mStateMutex);
     mState = HalState::READY;
+    mH4 = nullptr;
   }
   return ndk::ScopedAStatus::ok();
 }
@@ -346,13 +347,16 @@
 
 ndk::ScopedAStatus BluetoothHci::send(PacketType type,
     const std::vector<uint8_t>& v) {
-  if (mH4 == nullptr) {
-    return ndk::ScopedAStatus::fromExceptionCode(EX_ILLEGAL_STATE);
-  }
   if (v.empty()) {
     ALOGE("Packet is empty, no data was found to be sent");
     return ndk::ScopedAStatus::fromExceptionCode(EX_ILLEGAL_ARGUMENT);
   }
+
+  std::lock_guard<std::mutex> guard(mStateMutex);
+  if (mH4 == nullptr) {
+    return ndk::ScopedAStatus::fromExceptionCode(EX_ILLEGAL_STATE);
+  }
+
   mH4->Send(type, v);
   return ndk::ScopedAStatus::ok();
 }
commit	886074d66996022b111252c950768e7b0f8444f9	[log] [tgz]
author	yanggang.yang <yanggang.yang@mediatek.com>	Thu Oct 26 17:24:56 2023 +0800
committer	Can Chen <can.chen@mediatek.com>	Mon Nov 13 13:39:19 2023 +0800
tree	33d5ec9b7230e7d98e314b672b158bad28112caf
parent	0a44da85895541251e90b9c853d9ee27f72f66c7 [diff] [blame]