| Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame^] | 1 | From 416bfaff988882c553c672e5bfc2d4f648d29e8a Mon Sep 17 00:00:00 2001 |
| 2 | From: Daniel Wagner <wagi@monom.org> |
| 3 | Date: Tue, 5 Jul 2022 09:11:09 +0200 |
| 4 | Subject: wispr: Update portal context references |
| 5 | |
| 6 | Maintain proper portal context references to avoid UAF. |
| 7 | |
| 8 | Fixes: CVE-2022-32293 |
| 9 | CVE: CVE-2022-32293 |
| 10 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c] |
| 11 | Signed-off-by: Khem Raj <raj.khem@gmail.com> |
| 12 | --- |
| 13 | src/wispr.c | 34 ++++++++++++++++++++++------------ |
| 14 | 1 file changed, 22 insertions(+), 12 deletions(-) |
| 15 | |
| 16 | diff --git a/src/wispr.c b/src/wispr.c |
| 17 | index bde7e63b..84bed33f 100644 |
| 18 | --- a/src/wispr.c |
| 19 | +++ b/src/wispr.c |
| 20 | @@ -105,8 +105,6 @@ static bool enable_online_to_ready_transition = false; |
| 21 | |
| 22 | static void connman_wispr_message_init(struct connman_wispr_message *msg) |
| 23 | { |
| 24 | - DBG(""); |
| 25 | - |
| 26 | msg->has_error = false; |
| 27 | msg->current_element = NULL; |
| 28 | |
| 29 | @@ -166,8 +164,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context) |
| 30 | static void free_connman_wispr_portal_context( |
| 31 | struct connman_wispr_portal_context *wp_context) |
| 32 | { |
| 33 | - DBG("context %p", wp_context); |
| 34 | - |
| 35 | if (wp_context->wispr_portal) { |
| 36 | if (wp_context->wispr_portal->ipv4_context == wp_context) |
| 37 | wp_context->wispr_portal->ipv4_context = NULL; |
| 38 | @@ -483,9 +479,6 @@ static void portal_manage_status(GWebResult *result, |
| 39 | &str)) |
| 40 | connman_info("Client-Timezone: %s", str); |
| 41 | |
| 42 | - if (!enable_online_to_ready_transition) |
| 43 | - wispr_portal_context_unref(wp_context); |
| 44 | - |
| 45 | __connman_service_ipconfig_indicate_state(service, |
| 46 | CONNMAN_SERVICE_STATE_ONLINE, type); |
| 47 | |
| 48 | @@ -546,14 +539,17 @@ static void wispr_portal_request_portal( |
| 49 | { |
| 50 | DBG(""); |
| 51 | |
| 52 | + wispr_portal_context_ref(wp_context); |
| 53 | wp_context->request_id = g_web_request_get(wp_context->web, |
| 54 | wp_context->status_url, |
| 55 | wispr_portal_web_result, |
| 56 | wispr_route_request, |
| 57 | wp_context); |
| 58 | |
| 59 | - if (wp_context->request_id == 0) |
| 60 | + if (wp_context->request_id == 0) { |
| 61 | wispr_portal_error(wp_context); |
| 62 | + wispr_portal_context_unref(wp_context); |
| 63 | + } |
| 64 | } |
| 65 | |
| 66 | static bool wispr_input(const guint8 **data, gsize *length, |
| 67 | @@ -618,13 +614,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service, |
| 68 | return; |
| 69 | |
| 70 | if (!authentication_done) { |
| 71 | - wispr_portal_error(wp_context); |
| 72 | free_wispr_routes(wp_context); |
| 73 | + wispr_portal_error(wp_context); |
| 74 | + wispr_portal_context_unref(wp_context); |
| 75 | return; |
| 76 | } |
| 77 | |
| 78 | /* Restarting the test */ |
| 79 | __connman_service_wispr_start(service, wp_context->type); |
| 80 | + wispr_portal_context_unref(wp_context); |
| 81 | } |
| 82 | |
| 83 | static void wispr_portal_request_wispr_login(struct connman_service *service, |
| 84 | @@ -700,11 +698,13 @@ static bool wispr_manage_message(GWebResult *result, |
| 85 | |
| 86 | wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN; |
| 87 | |
| 88 | + wispr_portal_context_ref(wp_context); |
| 89 | if (__connman_agent_request_login_input(wp_context->service, |
| 90 | wispr_portal_request_wispr_login, |
| 91 | - wp_context) != -EINPROGRESS) |
| 92 | + wp_context) != -EINPROGRESS) { |
| 93 | wispr_portal_error(wp_context); |
| 94 | - else |
| 95 | + wispr_portal_context_unref(wp_context); |
| 96 | + } else |
| 97 | return true; |
| 98 | |
| 99 | break; |
| 100 | @@ -753,6 +753,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) |
| 101 | if (length > 0) { |
| 102 | g_web_parser_feed_data(wp_context->wispr_parser, |
| 103 | chunk, length); |
| 104 | + wispr_portal_context_unref(wp_context); |
| 105 | return true; |
| 106 | } |
| 107 | |
| 108 | @@ -770,6 +771,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) |
| 109 | |
| 110 | switch (status) { |
| 111 | case 000: |
| 112 | + wispr_portal_context_ref(wp_context); |
| 113 | __connman_agent_request_browser(wp_context->service, |
| 114 | wispr_portal_browser_reply_cb, |
| 115 | wp_context->status_url, wp_context); |
| 116 | @@ -781,11 +783,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) |
| 117 | if (g_web_result_get_header(result, "X-ConnMan-Status", |
| 118 | &str)) { |
| 119 | portal_manage_status(result, wp_context); |
| 120 | + wispr_portal_context_unref(wp_context); |
| 121 | return false; |
| 122 | - } else |
| 123 | + } else { |
| 124 | + wispr_portal_context_ref(wp_context); |
| 125 | __connman_agent_request_browser(wp_context->service, |
| 126 | wispr_portal_browser_reply_cb, |
| 127 | wp_context->redirect_url, wp_context); |
| 128 | + } |
| 129 | |
| 130 | break; |
| 131 | case 300: |
| 132 | @@ -798,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) |
| 133 | !g_web_result_get_header(result, "Location", |
| 134 | &redirect)) { |
| 135 | |
| 136 | + wispr_portal_context_ref(wp_context); |
| 137 | __connman_agent_request_browser(wp_context->service, |
| 138 | wispr_portal_browser_reply_cb, |
| 139 | wp_context->status_url, wp_context); |
| 140 | @@ -808,6 +814,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) |
| 141 | |
| 142 | wp_context->redirect_url = g_strdup(redirect); |
| 143 | |
| 144 | + wispr_portal_context_ref(wp_context); |
| 145 | wp_context->request_id = g_web_request_get(wp_context->web, |
| 146 | redirect, wispr_portal_web_result, |
| 147 | wispr_route_request, wp_context); |
| 148 | @@ -820,6 +827,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) |
| 149 | |
| 150 | break; |
| 151 | case 505: |
| 152 | + wispr_portal_context_ref(wp_context); |
| 153 | __connman_agent_request_browser(wp_context->service, |
| 154 | wispr_portal_browser_reply_cb, |
| 155 | wp_context->status_url, wp_context); |
| 156 | @@ -832,6 +840,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) |
| 157 | wp_context->request_id = 0; |
| 158 | done: |
| 159 | wp_context->wispr_msg.message_type = -1; |
| 160 | + wispr_portal_context_unref(wp_context); |
| 161 | return false; |
| 162 | } |
| 163 | |
| 164 | @@ -890,6 +899,7 @@ static void proxy_callback(const char *proxy, void *user_data) |
| 165 | xml_wispr_parser_callback, wp_context); |
| 166 | |
| 167 | wispr_portal_request_portal(wp_context); |
| 168 | + wispr_portal_context_unref(wp_context); |
| 169 | } |
| 170 | |
| 171 | static gboolean no_proxy_callback(gpointer user_data) |
| 172 | -- |
| 173 | cgit |
| 174 | |