Fix potential DoS caused by delivering signal to BT processstable/cm-13.0-ZNH2K

Ticket: CYNGNOS-3177 Bug: 28885210 Change-Id: I63866d894bfca47464d6e42e3fb0357c4f94d360
author: Sharvil Nanavati <sharvil@google.com> 2016-06-20 19:16:12 -0700
committer: Jessica Wagantall <jwagantall@cyngn.com> 2016-08-02 01:12:33 -0700
commit: 791c2192a9a19e42d8a396b0e46e1b15feb542cb (patch)
tree: 32c97666df9efaadc8206ea0499cf2480d2b8829 /hci
parent: 0e94bd5ac42a4621c873c8c2af4aa2aced3c6442 (diff)
download: android_system_bt-791c2192a9a19e42d8a396b0e46e1b15feb542cb.tar.gz
android_system_bt-791c2192a9a19e42d8a396b0e46e1b15feb542cb.tar.bz2
android_system_bt-791c2192a9a19e42d8a396b0e46e1b15feb542cb.zip
7 files changed, 23 insertions, 22 deletions
diff --git a/hci/src/btsnoop.c b/hci/src/btsnoop.c
index 5164148b7..4dc8192a4 100644
--- a/hci/src/btsnoop.c
+++ b/hci/src/btsnoop.c
@@ -200,7 +200,7 @@ static void update_logging() {
         LOG_ERROR("%s unable to rename '%s' to '%s': %s", __func__, log_path, last_log_path, strerror(errno));
     }
 
-    logfile_fd = open(log_path, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
+    logfile_fd = TEMP_FAILURE_RETRY(open(log_path, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH));
     if (logfile_fd == INVALID_FD) {
       LOG_ERROR("%s unable to open '%s': %s", __func__, log_path, strerror(errno));
       btsnoop_net_close();
@@ -208,7 +208,7 @@ static void update_logging() {
       return;
     }
 
-    write(logfile_fd, "btsnoop\0\0\0\0\1\0\0\x3\xea", 16);
+    TEMP_FAILURE_RETRY(write(logfile_fd, "btsnoop\0\0\0\0\1\0\0\x3\xea", 16));
   } else {
     if (logfile_fd != INVALID_FD)
       close(logfile_fd);
@@ -226,7 +226,7 @@ static void btsnoop_write(const void *data, size_t length) {
   }
 
   if (logfile_fd != INVALID_FD)
-    write(logfile_fd, data, length);
+    TEMP_FAILURE_RETRY(write(logfile_fd, data, length));
 }
 
 static uint64_t time_now_us() {
diff --git a/hci/src/btsnoop_net.c b/hci/src/btsnoop_net.c
index 2c8787563..96a4fe9cd 100644
--- a/hci/src/btsnoop_net.c
+++ b/hci/src/btsnoop_net.c
@@ -104,7 +104,7 @@ void btsnoop_net_write(const void *data, size_t length) {
   pthread_mutex_lock(&client_socket_lock_);
   if (client_socket_btsnoop != -1) {
     do {
-      if ((ret = send(client_socket_btsnoop, data, length, 0)) == -1 && errno == ECONNRESET) {
+      if ((ret = TEMP_FAILURE_RETRY(send(client_socket_btsnoop, data, length, 0))) == -1 && errno == ECONNRESET) {
         safe_close_(&client_socket_btsnoop);
         LOG_INFO("%s conn closed", __func__);
       }
@@ -180,7 +180,7 @@ static void *listen_fn_(UNUSED_ATTR void *context) {
     }
 
     if ((listen_socket_ != -1) && FD_ISSET(listen_socket_, &sock_fds)) {
-      client_socket = accept(listen_socket_, NULL, NULL);
+      client_socket = TEMP_FAILURE_RETRY(accept(listen_socket_, NULL, NULL));
       if (client_socket == -1) {
         if (errno == EINVAL || errno == EBADF) {
           LOG_WARN("%s error accepting TCP socket: %s", __func__, strerror(errno));
@@ -193,7 +193,7 @@ static void *listen_fn_(UNUSED_ATTR void *context) {
       struct sockaddr_un cliaddr;
       int length;
 
-      client_socket = accept(listen_socket_local_, (struct sockaddr *)&cliaddr, &length);
+      client_socket = TEMP_FAILURE_RETRY(accept(listen_socket_local_, (struct sockaddr *)&cliaddr, &length));
       if (client_socket == -1) {
         if (errno == EINVAL || errno == EBADF) {
           LOG_WARN("%s error accepting LOCAL socket: %s", __func__, strerror(errno));
@@ -209,7 +209,7 @@ static void *listen_fn_(UNUSED_ATTR void *context) {
     pthread_mutex_lock(&client_socket_lock_);
     safe_close_(&client_socket_btsnoop);
     client_socket_btsnoop = client_socket;
-    send(client_socket_btsnoop, "btsnoop\0\0\0\0\1\0\0\x3\xea", 16, 0);
+    TEMP_FAILURE_RETRY(send(client_socket_btsnoop, "btsnoop\0\0\0\0\1\0\0\x3\xea", 16, 0));
     pthread_mutex_unlock(&client_socket_lock_);
 
     FD_ZERO(&sock_fds);
diff --git a/hci/src/hci_hal_h4.c b/hci/src/hci_hal_h4.c
index d4dc105f5..09d035454 100644
--- a/hci/src/hci_hal_h4.c
+++ b/hci/src/hci_hal_h4.c
@@ -197,7 +197,7 @@ static uint16_t transmit_data(serial_data_type_t type, uint8_t *data, uint16_t l
 
   uint16_t transmitted_length = 0;
   while (length > 0) {
-    ssize_t ret = write(uart_fd, data + transmitted_length, length);
+    ssize_t ret = TEMP_FAILURE_RETRY(write(uart_fd, data + transmitted_length, length));
     switch (ret) {
       case -1:
         LOG_ERROR("In %s, error writing to the uart serial port: %s", __func__, strerror(errno));
diff --git a/hci/src/hci_hal_mct.c b/hci/src/hci_hal_mct.c
index 2c7a32336..318d812f6 100644
--- a/hci/src/hci_hal_mct.c
+++ b/hci/src/hci_hal_mct.c
@@ -249,7 +249,7 @@ static uint16_t transmit_data_on(int fd, uint8_t *data, uint16_t length) {
 
   uint16_t transmitted_length = 0;
   while (length > 0) {
-    ssize_t ret = write(fd, data + transmitted_length, length);
+    ssize_t ret = TEMP_FAILURE_RETRY(write(fd, data + transmitted_length, length));
     switch (ret) {
       case -1:
         LOG_ERROR("In %s, error writing to the serial port with fd %d: %s", __func__, fd, strerror(errno));
diff --git a/hci/src/hci_layer.c b/hci/src/hci_layer.c
index a6c9a93f7..ed1c7eec3 100644
--- a/hci/src/hci_layer.c
+++ b/hci/src/hci_layer.c
@@ -20,6 +20,7 @@
 
 #include <assert.h>
 #include <cutils/properties.h>
+#include <errno.h>
 #include <string.h>
 #include <signal.h>
 #include <string.h>
@@ -531,7 +532,7 @@ static void command_timed_out(UNUSED_ATTR void *context) {
 
   LOG_ERROR("%s restarting the bluetooth process.", __func__);
   ssr_cleanup(0x22);//SSR reasno 0x22 = CMD TO
-  usleep(20000);
+  TEMP_FAILURE_RETRY(usleep(20000));
   //Reset SOC status to trigger hciattach service
   if (property_set("bluetooth.status", "off") < 0) {
      LOG_ERROR("hci_cmd_timeout: Error resetting SOC status\n ");
diff --git a/hci/test/hci_hal_h4_test.cpp b/hci/test/hci_hal_h4_test.cpp
index d64e8c4d2..9ee8006c3 100644
--- a/hci/test/hci_hal_h4_test.cpp
+++ b/hci/test/hci_hal_h4_test.cpp
@@ -183,26 +183,26 @@ static void expect_socket_data(int fd, char first_byte, char *data) {
     fd_set read_fds;
     FD_ZERO(&read_fds);
     FD_SET(fd, &read_fds);
-    select(fd + 1, &read_fds, NULL, NULL, NULL);
+    TEMP_FAILURE_RETRY(select(fd + 1, &read_fds, NULL, NULL, NULL));
 
     char byte;
-    read(fd, &byte, 1);
+    TEMP_FAILURE_RETRY(read(fd, &byte, 1));
 
     EXPECT_EQ(i == 0 ? first_byte : data[i - 1], byte);
   }
 }
 
 static void write_packet(int fd, char first_byte, char *data) {
-  write(fd, &first_byte, 1);
-  write(fd, data, strlen(data));
+  TEMP_FAILURE_RETRY(write(fd, &first_byte, 1));
+  TEMP_FAILURE_RETRY(write(fd, data, strlen(data)));
 }
 
 static void write_packet_reentry(int fd, char first_byte, char *data) {
-  write(fd, &first_byte, 1);
+  TEMP_FAILURE_RETRY(write(fd, &first_byte, 1));
 
   int length = strlen(data);
   for (int i = 0; i < length; i++) {
-    write(fd, &data[i], 1);
+    TEMP_FAILURE_RETRY(write(fd, &data[i], 1));
     semaphore_wait(reentry_semaphore);
   }
 }
@@ -252,7 +252,7 @@ TEST_F(HciHalH4Test, test_type_byte_only_must_not_signal_data_ready) {
   reset_for(type_byte_only);
 
   char byte = DATA_TYPE_ACL;
-  write(sockfd[1], &byte, 1);
+  TEMP_FAILURE_RETRY(write(sockfd[1], &byte, 1));
 
   fd_set read_fds;
 
@@ -265,6 +265,6 @@ TEST_F(HciHalH4Test, test_type_byte_only_must_not_signal_data_ready) {
     timeout.tv_sec = 0;
     timeout.tv_usec = 0;
 
-    select(sockfd[0] + 1, &read_fds, NULL, NULL, &timeout);
+    TEMP_FAILURE_RETRY(select(sockfd[0] + 1, &read_fds, NULL, NULL, &timeout));
   } while(FD_ISSET(sockfd[0], &read_fds));
 }
diff --git a/hci/test/hci_hal_mct_test.cpp b/hci/test/hci_hal_mct_test.cpp
index 911aabcfd..a857629b3 100644
--- a/hci/test/hci_hal_mct_test.cpp
+++ b/hci/test/hci_hal_mct_test.cpp
@@ -186,23 +186,23 @@ static void expect_socket_data(int fd, char *data) {
     fd_set read_fds;
     FD_ZERO(&read_fds);
     FD_SET(fd, &read_fds);
-    select(fd + 1, &read_fds, NULL, NULL, NULL);
+    TEMP_FAILURE_RETRY(select(fd + 1, &read_fds, NULL, NULL, NULL));
 
     char byte;
-    read(fd, &byte, 1);
+    TEMP_FAILURE_RETRY(read(fd, &byte, 1));
 
     EXPECT_EQ(data[i], byte);
   }
 }
 
 static void write_packet(int fd, char *data) {
-  write(fd, data, strlen(data));
+  TEMP_FAILURE_RETRY(write(fd, data, strlen(data)));
 }
 
 static void write_packet_reentry(int fd, char *data) {
   int length = strlen(data);
   for (int i = 0; i < length; i++) {
-    write(fd, &data[i], 1);
+    TEMP_FAILURE_RETRY(write(fd, &data[i], 1));
     semaphore_wait(reentry_semaphore);
   }
 }
author	Sharvil Nanavati <sharvil@google.com>	2016-06-20 19:16:12 -0700
committer	Jessica Wagantall <jwagantall@cyngn.com>	2016-08-02 01:12:33 -0700
commit	791c2192a9a19e42d8a396b0e46e1b15feb542cb (patch)
tree	32c97666df9efaadc8206ea0499cf2480d2b8829 /hci
parent	0e94bd5ac42a4621c873c8c2af4aa2aced3c6442 (diff)
download	android_system_bt-791c2192a9a19e42d8a396b0e46e1b15feb542cb.tar.gz android_system_bt-791c2192a9a19e42d8a396b0e46e1b15feb542cb.tar.bz2 android_system_bt-791c2192a9a19e42d8a396b0e46e1b15feb542cb.zip