Ensure connection is unbound on call redirection timeout.
This CL ensures that the connection is unbound when the call redirection timeout is hit in CallRedirectionProcessor. This resolves a reported security vulnerability.
Test: manual using the provided APK + updated CallRedirectionProcessorTest
Flag: EXEMPT Security High/Critical Severity CVE
Bug: 376461726
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4a358cfd8e403597651a6962e8e43c11ea906a59)
Merged-In: I76a65c3993f5107652f98bbe0283043ecff27a7c
Change-Id: I76a65c3993f5107652f98bbe0283043ecff27a7c
diff --git a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
index 05e73d5..15b8aa9 100644
--- a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
+++ b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
@@ -133,6 +133,14 @@
+ mServiceType + " call redirection service");
}
}
+ Log.i(this, "notifyTimeout: call redirection has timed out so "
+ + "unbinding the connection");
+ if (mConnection != null) {
+ // We still need to call unbind even if the service disconnected.
+ mContext.unbindService(mConnection);
+ mConnection = null;
+ }
+ mService = null;
}
private class CallRedirectionServiceConnection implements ServiceConnection {
diff --git a/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java b/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java
index 241216a..185c08f 100644
--- a/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java
+++ b/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java
@@ -221,6 +221,9 @@
verify(mCallsManager, times(1)).onCallRedirectionComplete(eq(mCall), any(),
eq(mPhoneAccountHandle), eq(null), eq(SPEAKER_PHONE_ON), eq(VIDEO_STATE),
eq(false), eq(CallRedirectionProcessor.UI_TYPE_NO_ACTION));
+ // Verify service was unbound
+ verify(mContext, times(1)).
+ unbindService(any(ServiceConnection.class));
}
@Test
@@ -249,6 +252,9 @@
verify(mCallsManager, times(1)).onCallRedirectionComplete(eq(mCall), any(),
eq(mPhoneAccountHandle), eq(null), eq(SPEAKER_PHONE_ON), eq(VIDEO_STATE),
eq(true), eq(CallRedirectionProcessor.UI_TYPE_USER_DEFINED_TIMEOUT));
+ // Verify service was unbound
+ verify(mContext, times(1)).
+ unbindService(any(ServiceConnection.class));
}
@Test
@@ -280,6 +286,9 @@
verify(mCallsManager, times(1)).onCallRedirectionComplete(eq(mCall), any(),
eq(mPhoneAccountHandle), eq(null), eq(SPEAKER_PHONE_ON), eq(VIDEO_STATE),
eq(true), eq(CallRedirectionProcessor.UI_TYPE_USER_DEFINED_TIMEOUT));
+ // Verify service was unbound
+ verify(mContext, times(1)).
+ unbindService(any(ServiceConnection.class));
// Wait for another carrier timeout time, but should not expect any carrier service request
// is triggered.
@@ -289,6 +298,9 @@
verify(mCallsManager, times(1)).onCallRedirectionComplete(eq(mCall), any(),
eq(mPhoneAccountHandle), eq(null), eq(SPEAKER_PHONE_ON), eq(VIDEO_STATE),
eq(true), eq(CallRedirectionProcessor.UI_TYPE_USER_DEFINED_TIMEOUT));
+ // Verify service was unbound
+ verify(mContext, times(1)).
+ unbindService(any(ServiceConnection.class));
}
@Test