diff --git a/framework-t/src/android/net/IpSecManager.java b/framework-t/src/android/net/IpSecManager.java index 9cb0947b23..9cceac2af3 100644 --- a/framework-t/src/android/net/IpSecManager.java +++ b/framework-t/src/android/net/IpSecManager.java @@ -817,10 +817,10 @@ public class IpSecManager { * * * @param underlyingNetwork the new {@link Network} that will carry traffic for this tunnel. - * This network MUST never be the network exposing this IpSecTunnelInterface, otherwise - * this method will throw an {@link IllegalArgumentException}. If the - * IpSecTunnelInterface is later added to this network, all outbound traffic will be - * blackholed. + * This network MUST be a functional {@link Network} with valid {@link LinkProperties}, + * and MUST never be the network exposing this IpSecTunnelInterface, otherwise this + * method will throw an {@link IllegalArgumentException}. If the IpSecTunnelInterface is + * later added to this network, all outbound traffic will be blackholed. */ // TODO: b/169171001 Update the documentation when transform migration is supported. // The purpose of making updating network and applying transforms separate is to leave open @@ -962,7 +962,6 @@ public class IpSecManager { * IP header and IPsec Header on all inbound traffic). *

Applications should probably not use this API directly. * - * * @param tunnel The {@link IpSecManager#IpSecTunnelInterface} that will use the supplied * transform. * @param direction the direction, {@link DIRECTION_OUT} or {@link #DIRECTION_IN} in which diff --git a/service-t/src/com/android/server/IpSecService.java b/service-t/src/com/android/server/IpSecService.java index 4bc40eae44..16b9f1efcf 100644 --- a/service-t/src/com/android/server/IpSecService.java +++ b/service-t/src/com/android/server/IpSecService.java @@ -1452,6 +1452,11 @@ public class IpSecService extends IIpSecService.Stub { final ConnectivityManager connectivityManager = mContext.getSystemService(ConnectivityManager.class); final LinkProperties lp = connectivityManager.getLinkProperties(underlyingNetwork); + if (lp == null) { + throw new IllegalArgumentException( + "LinkProperties is null. The underlyingNetwork may not be functional"); + } + if (tunnelInterfaceInfo.getInterfaceName().equals(lp.getInterfaceName())) { throw new IllegalArgumentException( "Underlying network cannot be the network being exposed by this tunnel"); diff --git a/tests/unit/java/com/android/server/IpSecServiceParameterizedTest.java b/tests/unit/java/com/android/server/IpSecServiceParameterizedTest.java index 45f3d3c118..061dc872ca 100644 --- a/tests/unit/java/com/android/server/IpSecServiceParameterizedTest.java +++ b/tests/unit/java/com/android/server/IpSecServiceParameterizedTest.java @@ -782,6 +782,23 @@ public class IpSecServiceParameterizedTest { assertEquals(newFakeNetwork, tunnelInterfaceInfo.getUnderlyingNetwork()); } + @Test + public void testSetNetworkForTunnelInterfaceFailsForNullLp() throws Exception { + final IpSecTunnelInterfaceResponse createTunnelResp = + createAndValidateTunnel(mSourceAddr, mDestinationAddr, BLESSED_PACKAGE); + final Network newFakeNetwork = new Network(1000); + final int tunnelIfaceResourceId = createTunnelResp.resourceId; + + try { + mIpSecService.setNetworkForTunnelInterface( + tunnelIfaceResourceId, newFakeNetwork, BLESSED_PACKAGE); + fail( + "Expected an IllegalArgumentException for underlying network with null" + + " LinkProperties"); + } catch (IllegalArgumentException expected) { + } + } + @Test public void testSetNetworkForTunnelInterfaceFailsForInvalidResourceId() throws Exception { final IpSecTunnelInterfaceResponse createTunnelResp =