diff options
author | Sharvil Nanavati <sharvil@google.com> | 2016-06-20 19:16:12 -0700 |
---|---|---|
committer | Jessica Wagantall <jwagantall@cyngn.com> | 2016-08-02 01:12:33 -0700 |
commit | 791c2192a9a19e42d8a396b0e46e1b15feb542cb (patch) | |
tree | 32c97666df9efaadc8206ea0499cf2480d2b8829 /btif/src/btif_sock_rfc.c | |
parent | 0e94bd5ac42a4621c873c8c2af4aa2aced3c6442 (diff) | |
download | android_system_bt-stable/cm-13.0-ZNH2K.tar.gz android_system_bt-stable/cm-13.0-ZNH2K.tar.bz2 android_system_bt-stable/cm-13.0-ZNH2K.zip |
Fix potential DoS caused by delivering signal to BT processstable/cm-13.0-ZNH2K
Ticket: CYNGNOS-3177
Bug: 28885210
Change-Id: I63866d894bfca47464d6e42e3fb0357c4f94d360
Diffstat (limited to 'btif/src/btif_sock_rfc.c')
-rw-r--r-- | btif/src/btif_sock_rfc.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/btif/src/btif_sock_rfc.c b/btif/src/btif_sock_rfc.c index c352966ef..059b62c0f 100644 --- a/btif/src/btif_sock_rfc.c +++ b/btif/src/btif_sock_rfc.c @@ -840,7 +840,7 @@ static sent_status_t send_data_to_app(int fd, BT_HDR *p_buf) { if (p_buf->len == 0) return SENT_ALL; - ssize_t sent = send(fd, p_buf->data + p_buf->offset, p_buf->len, MSG_DONTWAIT); + ssize_t sent = TEMP_FAILURE_RETRY(send(fd, p_buf->data + p_buf->offset, p_buf->len, MSG_DONTWAIT)); if (sent == -1) { if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR) @@ -903,11 +903,9 @@ void btsock_rfc_signaled(UNUSED_ATTR int fd, int flags, uint32_t user_id) { if (slot->f.connected) { // Make sure there's data pending in case the peer closed the socket. int size = 0; - if (!(flags & SOCK_THREAD_FD_EXCEPTION) || (ioctl(slot->fd, FIONREAD, &size) == 0 && size)) - //unlock before BTA_JvRfcommWrite to avoid deadlock on concurrnet multi rfcomm connectoins - //concurrnet multi rfcomm connectoins - pthread_mutex_unlock(&slot_lock); + if (!(flags & SOCK_THREAD_FD_EXCEPTION) || (TEMP_FAILURE_RETRY(ioctl(slot->fd, FIONREAD, &size)) == 0 && size)) { BTA_JvRfcommWrite(slot->rfc_handle, slot->id); + } } else { LOG_ERROR("%s socket signaled for read while disconnected, slot: %d, channel: %d", __func__, slot->id, slot->scn); need_close = true; @@ -925,7 +923,7 @@ void btsock_rfc_signaled(UNUSED_ATTR int fd, int flags, uint32_t user_id) { if (need_close || (flags & SOCK_THREAD_FD_EXCEPTION)) { // Clean up if there's no data pending. int size = 0; - if (need_close || ioctl(slot->fd, FIONREAD, &size) != 0 || !size) + if (need_close || TEMP_FAILURE_RETRY(ioctl(slot->fd, FIONREAD, &size)) != 0 || !size) cleanup_rfc_slot(slot); } @@ -979,7 +977,7 @@ int bta_co_rfc_data_outgoing_size(void *user_data, int *size) { if (!slot) goto out; - if (ioctl(slot->fd, FIONREAD, size) == 0) { + if (TEMP_FAILURE_RETRY(ioctl(slot->fd, FIONREAD, size)) == 0) { ret = true; } else { LOG_ERROR("%s unable to determine bytes remaining to be read on fd %d: %s", __func__, slot->fd, strerror(errno)); @@ -1000,7 +998,7 @@ int bta_co_rfc_data_outgoing(void *user_data, uint8_t *buf, uint16_t size) { if (!slot) goto out; - int received = recv(slot->fd, buf, size, 0); + int received = TEMP_FAILURE_RETRY(recv(slot->fd, buf, size, 0)); if(received == size) { ret = true; } else { |