| Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame^] | 1 | From 72343929836de80727a27d6744c869dff045757c Mon Sep 17 00:00:00 2001 |
| 2 | From: Daniel Wagner <wagi@monom.org> |
| 3 | Date: Tue, 5 Jul 2022 08:32:12 +0200 |
| 4 | Subject: wispr: Add reference counter to portal context |
| 5 | |
| 6 | Track the connman_wispr_portal_context live time via a |
| 7 | refcounter. This only adds the infrastructure to do proper reference |
| 8 | counting. |
| 9 | |
| 10 | Fixes: CVE-2022-32293 |
| 11 | CVE: CVE-2022-32293 |
| 12 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=416bfaff988882c553c672e5bfc2d4f648d29e8a] |
| 13 | Signed-off-by: Khem Raj <raj.khem@gmail.com> |
| 14 | --- |
| 15 | src/wispr.c | 52 ++++++++++++++++++++++++++++++++++++++++++---------- |
| 16 | 1 file changed, 42 insertions(+), 10 deletions(-) |
| 17 | |
| 18 | diff --git a/src/wispr.c b/src/wispr.c |
| 19 | index a07896ca..bde7e63b 100644 |
| 20 | --- a/src/wispr.c |
| 21 | +++ b/src/wispr.c |
| 22 | @@ -56,6 +56,7 @@ struct wispr_route { |
| 23 | }; |
| 24 | |
| 25 | struct connman_wispr_portal_context { |
| 26 | + int refcount; |
| 27 | struct connman_service *service; |
| 28 | enum connman_ipconfig_type type; |
| 29 | struct connman_wispr_portal *wispr_portal; |
| 30 | @@ -97,6 +98,11 @@ static char *online_check_ipv4_url = NULL; |
| 31 | static char *online_check_ipv6_url = NULL; |
| 32 | static bool enable_online_to_ready_transition = false; |
| 33 | |
| 34 | +#define wispr_portal_context_ref(wp_context) \ |
| 35 | + wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__) |
| 36 | +#define wispr_portal_context_unref(wp_context) \ |
| 37 | + wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__) |
| 38 | + |
| 39 | static void connman_wispr_message_init(struct connman_wispr_message *msg) |
| 40 | { |
| 41 | DBG(""); |
| 42 | @@ -162,9 +168,6 @@ static void free_connman_wispr_portal_context( |
| 43 | { |
| 44 | DBG("context %p", wp_context); |
| 45 | |
| 46 | - if (!wp_context) |
| 47 | - return; |
| 48 | - |
| 49 | if (wp_context->wispr_portal) { |
| 50 | if (wp_context->wispr_portal->ipv4_context == wp_context) |
| 51 | wp_context->wispr_portal->ipv4_context = NULL; |
| 52 | @@ -201,9 +204,38 @@ static void free_connman_wispr_portal_context( |
| 53 | g_free(wp_context); |
| 54 | } |
| 55 | |
| 56 | +static struct connman_wispr_portal_context * |
| 57 | +wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context, |
| 58 | + const char *file, int line, const char *caller) |
| 59 | +{ |
| 60 | + DBG("%p ref %d by %s:%d:%s()", wp_context, |
| 61 | + wp_context->refcount + 1, file, line, caller); |
| 62 | + |
| 63 | + __sync_fetch_and_add(&wp_context->refcount, 1); |
| 64 | + |
| 65 | + return wp_context; |
| 66 | +} |
| 67 | + |
| 68 | +static void wispr_portal_context_unref_debug( |
| 69 | + struct connman_wispr_portal_context *wp_context, |
| 70 | + const char *file, int line, const char *caller) |
| 71 | +{ |
| 72 | + if (!wp_context) |
| 73 | + return; |
| 74 | + |
| 75 | + DBG("%p ref %d by %s:%d:%s()", wp_context, |
| 76 | + wp_context->refcount - 1, file, line, caller); |
| 77 | + |
| 78 | + if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1) |
| 79 | + return; |
| 80 | + |
| 81 | + free_connman_wispr_portal_context(wp_context); |
| 82 | +} |
| 83 | + |
| 84 | static struct connman_wispr_portal_context *create_wispr_portal_context(void) |
| 85 | { |
| 86 | - return g_try_new0(struct connman_wispr_portal_context, 1); |
| 87 | + return wispr_portal_context_ref( |
| 88 | + g_new0(struct connman_wispr_portal_context, 1)); |
| 89 | } |
| 90 | |
| 91 | static void free_connman_wispr_portal(gpointer data) |
| 92 | @@ -215,8 +247,8 @@ static void free_connman_wispr_portal(gpointer data) |
| 93 | if (!wispr_portal) |
| 94 | return; |
| 95 | |
| 96 | - free_connman_wispr_portal_context(wispr_portal->ipv4_context); |
| 97 | - free_connman_wispr_portal_context(wispr_portal->ipv6_context); |
| 98 | + wispr_portal_context_unref(wispr_portal->ipv4_context); |
| 99 | + wispr_portal_context_unref(wispr_portal->ipv6_context); |
| 100 | |
| 101 | g_free(wispr_portal); |
| 102 | } |
| 103 | @@ -452,7 +484,7 @@ static void portal_manage_status(GWebResult *result, |
| 104 | connman_info("Client-Timezone: %s", str); |
| 105 | |
| 106 | if (!enable_online_to_ready_transition) |
| 107 | - free_connman_wispr_portal_context(wp_context); |
| 108 | + wispr_portal_context_unref(wp_context); |
| 109 | |
| 110 | __connman_service_ipconfig_indicate_state(service, |
| 111 | CONNMAN_SERVICE_STATE_ONLINE, type); |
| 112 | @@ -616,7 +648,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service, |
| 113 | return; |
| 114 | } |
| 115 | |
| 116 | - free_connman_wispr_portal_context(wp_context); |
| 117 | + wispr_portal_context_unref(wp_context); |
| 118 | return; |
| 119 | } |
| 120 | |
| 121 | @@ -952,7 +984,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context) |
| 122 | |
| 123 | if (wp_context->token == 0) { |
| 124 | err = -EINVAL; |
| 125 | - free_connman_wispr_portal_context(wp_context); |
| 126 | + wispr_portal_context_unref(wp_context); |
| 127 | } |
| 128 | } else if (wp_context->timeout == 0) { |
| 129 | wp_context->timeout = g_idle_add(no_proxy_callback, wp_context); |
| 130 | @@ -1001,7 +1033,7 @@ int __connman_wispr_start(struct connman_service *service, |
| 131 | |
| 132 | /* If there is already an existing context, we wipe it */ |
| 133 | if (wp_context) |
| 134 | - free_connman_wispr_portal_context(wp_context); |
| 135 | + wispr_portal_context_unref(wp_context); |
| 136 | |
| 137 | wp_context = create_wispr_portal_context(); |
| 138 | if (!wp_context) |
| 139 | -- |
| 140 | cgit |
| 141 | |