From 8457b0f0c6bd57a1a796ae5f5c7df7119afc5d4f Mon Sep 17 00:00:00 2001 From: Nick Pelly Date: Wed, 24 Mar 2010 18:41:13 -0700 Subject: [PATCH] Fix Phone App crash due to binary data in HSP/HFP stream. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The BMW 2005 E46 sends binary data amongst the AT commands. Log below. There were a couple of problems when this happened. o Off by one error causing overflow of read buffer. o No validation that input can be parsed by NewStringUTF() This commit fixes the off-by-one, and validates that the input is ASCII. I also increased the read buffer size to 256 to make it less likely we split commands across buffers. We will lose the command when this happens. 2010-03-24 16:00:29.934185 > ACL data: handle 1 flags 0x02 dlen 17 L2CAP(d): cid 0x0040 len 13 [psm 0] 0000: 29 ef 13 41 54 2b 43 49 4e 44 3f 0d 6a )ï.AT+CIND?.j 2010-03-24 16:00:29.940502 < ACL data: handle 1 flags 0x00 dlen 38 0000: 22 00 40 00 2b ef 3d 0d 0a 2b 43 49 4e 44 3a 20 ".@.+ï=..+CIND: 0010: 31 2c 30 2c 30 2c 30 2c 34 2c 30 2c 35 0d 0a 0d 1,0,0,0,4,0,5... 0020: 0a 4f 4b 0d 0a b0 .OK..° 2010-03-24 16:00:29.949657 > HCI Event: Number of Completed Packets (0x13) plen 5 handle 1 packets 1 2010-03-24 16:00:30.004284 > ACL data: handle 1 flags 0x02 dlen 9 L2CAP(d): cid 0x0040 len 5 [psm 0] 0000: 29 ff 01 01 76 )ÿ..v 2010-03-24 16:00:30.137218 > ACL data: handle 1 flags 0x02 dlen 144 L2CAP(d): cid 0x0040 len 140 [psm 0] 0000: 29 ef 0e 01 02 a9 03 58 02 a9 03 64 02 a9 03 98 )ï...©.X.©.d.©.. 0010: 02 a9 03 98 02 a9 03 98 02 a9 03 98 02 a9 03 98 .©...©...©...©.. 0020: 02 a9 03 98 02 a9 03 98 02 a9 03 98 02 a9 03 98 .©...©...©...©.. 0030: 02 a9 04 d8 02 a9 03 a4 02 a9 03 b0 02 a9 03 bc .©.Ø.©.¤.©.°.©.¼ 0040: 02 a9 03 c8 02 a9 03 fc 02 a9 04 38 02 a9 04 44 .©.È.©.ü.©.8.©.D 0050: 02 a9 04 50 02 a9 04 84 02 a9 04 90 02 a9 04 9c .©.P.©...©...©.. 0060: 02 a9 04 a8 02 a9 04 b4 02 a9 04 c0 02 a9 04 d8 .©.¨.©.´.©.À.©.Ø 0070: 02 a9 04 d8 02 a9 04 cc 02 a9 10 7c 02 a9 10 d8 .©.Ø.©.Ì.©.|.©.Ø 0080: 02 a9 10 e4 02 a9 10 f4 02 a9 11 6a .©.ä.©.ô.©.j Change-Id: I7ccff70bc95a7945d8ff03527764fd8f4da04d24 Bug: 2539053 --- core/jni/android_bluetooth_HeadsetBase.cpp | 25 ++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/core/jni/android_bluetooth_HeadsetBase.cpp b/core/jni/android_bluetooth_HeadsetBase.cpp index 71279b26263c4..b0b0cb8200fd7 100644 --- a/core/jni/android_bluetooth_HeadsetBase.cpp +++ b/core/jni/android_bluetooth_HeadsetBase.cpp @@ -96,6 +96,13 @@ static int send_line(int fd, const char* line) { return 0; } +static int is_ascii(char *line) { + for (;;line++) { + if (*line == 0) return 1; + if (*line >> 7) return 0; + } +} + static const char* get_line(int fd, char *buf, int len, int timeout_ms, int *err) { char *bufit=buf; @@ -125,7 +132,7 @@ again: return NULL; } - while ((int)(bufit - buf) < len) + while ((int)(bufit - buf) < (len - 1)) { errno = 0; int rc = read(fd, bufit, 1); @@ -155,8 +162,18 @@ again: bufit++; } - *bufit = '\x0'; - LOG(LOG_INFO, "Bluetooth AT recv", buf); + *bufit = NULL; + + // Simple validation. Must be all ASCII. + // (we sometimes send non-ASCII UTF-8 in address book, but should + // never receive non-ASCII UTF-8). + // This was added because of the BMW 2005 E46 which sends binary junk. + if (is_ascii(buf)) { + LOG(LOG_INFO, "Bluetooth AT recv", buf); + } else { + LOGW("Ignoring invalid AT command: %s", buf); + buf[0] = NULL; + } return buf; } @@ -501,7 +518,7 @@ static jstring readNative(JNIEnv *env, jobject obj, jint timeout_ms) { { native_data_t *nat = get_native_data(env, obj); if (nat->rfcomm_connected) { - char buf[128]; + char buf[256]; const char *ret = get_line(nat->rfcomm_sock, buf, sizeof(buf), timeout_ms,