Commit 8457b0f0 authored Mar 24, 2010 by Nick Pelly

Fix Phone App crash due to binary data in HSP/HFP stream.

The BMW 2005 E46 sends binary data amongst the AT commands. Log below.

There were a couple of problems when this happened.
o Off by one error causing overflow of read buffer.
o No validation that input can be parsed by NewStringUTF()

This commit fixes the off-by-one, and validates that the input is ASCII.

I also increased the read buffer size to 256 to make it less likely we split
commands across buffers. We will lose the command when this happens.

2010-03-24 16:00:29.934185 > ACL data: handle 1 flags 0x02 dlen 17
L2CAP(d): cid 0x0040 len 13 [psm 0]
0000: 29 ef 13 41 54 2b 43 49 4e 44 3f 0d 6a )ï.AT+CIND?.j
2010-03-24 16:00:29.940502 < ACL data: handle 1 flags 0x00 dlen 38
0000: 22 00 40 00 2b ef 3d 0d 0a 2b 43 49 4e 44 3a 20 ".@.+ï=..+CIND:
0010: 31 2c 30 2c 30 2c 30 2c 34 2c 30 2c 35 0d 0a 0d 1,0,0,0,4,0,5...
0020: 0a 4f 4b 0d 0a b0 .OK..°
2010-03-24 16:00:29.949657 > HCI Event: Number of Completed Packets (0x13) plen 5
handle 1 packets 1
2010-03-24 16:00:30.004284 > ACL data: handle 1 flags 0x02 dlen 9
L2CAP(d): cid 0x0040 len 5 [psm 0]
0000: 29 ff 01 01 76 )ÿ..v
2010-03-24 16:00:30.137218 > ACL data: handle 1 flags 0x02 dlen 144
L2CAP(d): cid 0x0040 len 140 [psm 0]
0000: 29 ef 0e 01 02 a9 03 58 02 a9 03 64 02 a9 03 98 )ï...©.X.©.d.©..
0010: 02 a9 03 98 02 a9 03 98 02 a9 03 98 02 a9 03 98 .©...©...©...©..
0020: 02 a9 03 98 02 a9 03 98 02 a9 03 98 02 a9 03 98 .©...©...©...©..
0030: 02 a9 04 d8 02 a9 03 a4 02 a9 03 b0 02 a9 03 bc .©.Ø.©.¤.©.°.©.¼
0040: 02 a9 03 c8 02 a9 03 fc 02 a9 04 38 02 a9 04 44 .©.È.©.ü.©.8.©.D
0050: 02 a9 04 50 02 a9 04 84 02 a9 04 90 02 a9 04 9c .©.P.©...©...©..
0060: 02 a9 04 a8 02 a9 04 b4 02 a9 04 c0 02 a9 04 d8 .©.¨.©.´.©.À.©.Ø
0070: 02 a9 04 d8 02 a9 04 cc 02 a9 10 7c 02 a9 10 d8 .©.Ø.©.Ì.©.|.©.Ø
0080: 02 a9 10 e4 02 a9 10 f4 02 a9 11 6a .©.ä.©.ô.©.j

Change-Id: I7ccff70bc95a7945d8ff03527764fd8f4da04d24
Bug: 2539053

parent d0f11ea9

core/jni/android_bluetooth_HeadsetBase.cpp

+21 −4

Original line number	Diff line number	Diff line
		@@ -96,6 +96,13 @@ static int send_line(int fd, const char* line) {
		return 0;
		}

		static int is_ascii(char *line) {
		for (;;line++) {
		if (*line == 0) return 1;
		if (*line >> 7) return 0;
		}
		}

		static const char* get_line(int fd, char *buf, int len, int timeout_ms,
		int *err) {
		char *bufit=buf;
		@@ -125,7 +132,7 @@ again:
		return NULL;
		}

		while ((int)(bufit - buf) < len)
		while ((int)(bufit - buf) < (len - 1))
		{
		errno = 0;
		int rc = read(fd, bufit, 1);
		@@ -155,8 +162,18 @@ again:
		bufit++;
		}

		*bufit = '\x0';
		*bufit = NULL;

		// Simple validation. Must be all ASCII.
		// (we sometimes send non-ASCII UTF-8 in address book, but should
		// never receive non-ASCII UTF-8).
		// This was added because of the BMW 2005 E46 which sends binary junk.
		if (is_ascii(buf)) {
		LOG(LOG_INFO, "Bluetooth AT recv", buf);
		} else {
		LOGW("Ignoring invalid AT command: %s", buf);
		buf[0] = NULL;
		}

		return buf;
		}
		@@ -501,7 +518,7 @@ static jstring readNative(JNIEnv *env, jobject obj, jint timeout_ms) {
		{
		native_data_t *nat = get_native_data(env, obj);
		if (nat->rfcomm_connected) {
		char buf[128];
		char buf[256];
		const char *ret = get_line(nat->rfcomm_sock,
		buf, sizeof(buf),
		timeout_ms,