fix(android): bound JNI string local references

maybeknott · maybeknott · commit 923e9402e577 · 2026-05-24T02:06:38.000+03:30
Android JNI entry points return string payloads for version checks, log drains, update checks, SNI probes, live stats, and pipeline diagnostics. Several of those methods are invoked repeatedly by the Kotlin UI while the proxy is running, so each path should keep JNI local-reference ownership explicit and bounded even when future payload construction adds intermediate Java objects.

Add a shared string_to_jstring helper that builds returned Java strings inside an explicit local frame with with_local_frame_returning_local. The frame preserves only the returned jstring for the JVM caller and releases temporary local handles before the native method exits. Allocation or frame setup failures continue to return a null jstring, preserving the existing failure contract.

Route every Android string-returning native entry point through the helper without changing payload contents, method names, signatures, threading behavior, or Kotlin call sites. This keeps repeated telemetry and diagnostics polling from relying on the implicit native-method frame and gives the JNI boundary a single audited conversion path.
diff --git a/src/android_jni.rs b/src/android_jni.rs
@@ -20,7 +20,7 @@ use std::path::PathBuf;
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::{Arc, Mutex, OnceLock};
 
-use jni::objects::{JClass, JString};
+use jni::objects::{JClass, JObject, JString};
 use jni::sys::{jboolean, jlong, jstring, JNI_FALSE, JNI_TRUE};
 use jni::JNIEnv;
 use tokio::runtime::Runtime;
@@ -145,6 +145,15 @@ fn jstring_to_string(env: &mut JNIEnv, s: &JString) -> String {
         .unwrap_or_else(|_| String::new())
 }
 
+/// Helper: String -> jstring, returning null on allocation failure.
+fn string_to_jstring(env: &mut JNIEnv, value: &str) -> jstring {
+    let obj: jni::errors::Result<JObject> = env.with_local_frame_returning_local(4, |env| {
+        env.new_string(value).map(JObject::from)
+    });
+    obj.map(|s| s.into_raw() as jstring)
+        .unwrap_or(std::ptr::null_mut())
+}
+
 fn safe<F: FnOnce() -> R + std::panic::UnwindSafe, R>(default: R, f: F) -> R {
     std::panic::catch_unwind(f).unwrap_or(default)
 }
@@ -327,11 +336,11 @@ pub extern "system" fn Java_com_therealaleph_mhrv_Native_exportCa(
 /// `Native.version()` -> String. Trivial smoke test for the JNI linkage.
 #[no_mangle]
 pub extern "system" fn Java_com_therealaleph_mhrv_Native_version<'a>(
-    env: JNIEnv<'a>,
+    mut env: JNIEnv<'a>,
     _class: JClass,
 ) -> jstring {
     let v = env!("CARGO_PKG_VERSION");
-    env.new_string(v).map(|s| s.into_raw()).unwrap_or(std::ptr::null_mut())
+    string_to_jstring(&mut env, v)
 }
 
 /// `Native.drainLogs()` -> String. Returns the full ring buffer as a single
@@ -340,7 +349,7 @@ pub extern "system" fn Java_com_therealaleph_mhrv_Native_version<'a>(
 /// for display. Empty string when there's nothing to read.
 #[no_mangle]
 pub extern "system" fn Java_com_therealaleph_mhrv_Native_drainLogs<'a>(
-    env: JNIEnv<'a>,
+    mut env: JNIEnv<'a>,
     _class: JClass,
 ) -> jstring {
     let out = safe(String::new(), AssertUnwindSafe(|| {
@@ -351,7 +360,7 @@ pub extern "system" fn Java_com_therealaleph_mhrv_Native_drainLogs<'a>(
         let lines: Vec<String> = g.drain(..).collect();
         lines.join("\n")
     }));
-    env.new_string(out).map(|s| s.into_raw()).unwrap_or(std::ptr::null_mut())
+    string_to_jstring(&mut env, &out)
 }
 
 /// `Native.checkUpdate()` -> String. Runs the same `update_check::check`
@@ -367,7 +376,7 @@ pub extern "system" fn Java_com_therealaleph_mhrv_Native_drainLogs<'a>(
 /// Blocking — hit from a background dispatcher.
 #[no_mangle]
 pub extern "system" fn Java_com_therealaleph_mhrv_Native_checkUpdate<'a>(
-    env: JNIEnv<'a>,
+    mut env: JNIEnv<'a>,
     _class: JClass,
 ) -> jstring {
     let result_json = safe(
@@ -383,9 +392,7 @@ pub extern "system" fn Java_com_therealaleph_mhrv_Native_checkUpdate<'a>(
             update_check_to_json(&outcome)
         }),
     );
-    env.new_string(result_json)
-        .map(|s| s.into_raw())
-        .unwrap_or(std::ptr::null_mut())
+    string_to_jstring(&mut env, &result_json)
 }
 
 fn update_check_to_json(u: &crate::update_check::UpdateCheck) -> String {
@@ -455,7 +462,7 @@ pub extern "system" fn Java_com_therealaleph_mhrv_Native_testSni<'a>(
             _ => r#"{"ok":false,"error":"unknown"}"#.to_string(),
         }
     }));
-    env.new_string(result_json).map(|s| s.into_raw()).unwrap_or(std::ptr::null_mut())
+    string_to_jstring(&mut env, &result_json)
 }
 
 /// `Native.statsJson(long handle)` -> String. Returns a JSON blob with the
@@ -466,7 +473,7 @@ pub extern "system" fn Java_com_therealaleph_mhrv_Native_testSni<'a>(
 /// timer to render the "Usage today (estimated)" card.
 #[no_mangle]
 pub extern "system" fn Java_com_therealaleph_mhrv_Native_statsJson<'a>(
-    env: JNIEnv<'a>,
+    mut env: JNIEnv<'a>,
     _class: JClass,
     handle: jlong,
 ) -> jstring {
@@ -483,21 +490,21 @@ pub extern "system" fn Java_com_therealaleph_mhrv_Native_statsJson<'a>(
         };
         f.snapshot_stats().to_json()
     }));
-    env.new_string(out).map(|s| s.into_raw()).unwrap_or(std::ptr::null_mut())
+    string_to_jstring(&mut env, &out)
 }
 
 /// `Native.pipelineDebugJson()` -> String. Snapshot of pipeline debug state:
 /// elevated session count, batch semaphore usage, recent ramp/drop events.
 /// Temporary — for the debug overlay.
 #[no_mangle]
 pub extern "system" fn Java_com_therealaleph_mhrv_Native_pipelineDebugJson<'a>(
-    env: JNIEnv<'a>,
+    mut env: JNIEnv<'a>,
     _class: JClass,
 ) -> jstring {
     let out = safe(String::new(), AssertUnwindSafe(|| {
         crate::tunnel_client::pipeline_debug::to_json()
     }));
-    env.new_string(out).map(|s| s.into_raw()).unwrap_or(std::ptr::null_mut())
+    string_to_jstring(&mut env, &out)
 }
 
 // ---------------------------------------------------------------------------
