CVE-2022-32293: [PATCH 3/6] wispr: Add reference counter to portal context

From: Daniel Wagner [email protected] To: [email protected] Cc: Daniel Wagner [email protected] Subject: [PATCH 3/6] wispr: Add reference counter to portal context Date: Mon, 1 Aug 2022 10:00:40 +0200 [thread overview] Message-ID: [email protected] (raw) In-Reply-To: <[email protected]>

Track the connman_wispr_portal_context live time via a refcounter. This only adds the infrastructure to do proper reference counting.

Fixes: CVE-2022-32293

src/wispr.c | 52 +++++++++++++++++++++++++++++++++++++++++±--------- 1 file changed, 42 insertions(+), 10 deletions(-)

diff --git a/src/wispr.c b/src/wispr.c index a07896cabe48…bde7e63ba4b2 100644 — a/src/wispr.c +++ b/src/wispr.c @@ -56,6 +56,7 @@ struct wispr_route { };

struct connman_wispr_portal_context {

• int refcount; struct connman_service *service; enum connman_ipconfig_type type; struct connman_wispr_portal *wispr_portal; @@ -97,6 +98,11 @@ static char *online_check_ipv4_url = NULL; static char *online_check_ipv6_url = NULL; static bool enable_online_to_ready_transition = false;

+#define wispr_portal_context_ref(wp_context) \

• wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__) +#define wispr_portal_context_unref(wp_context) \
• wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__)

static void connman_wispr_message_init(struct connman_wispr_message *msg) { DBG(“”); @@ -162,9 +168,6 @@ static void free_connman_wispr_portal_context( { DBG("context %p", wp_context);

- if (!wp_context)

•   return;
  

• if (wp_context->wispr_portal) { if (wp_context->wispr_portal->ipv4_context == wp_context) wp_context->wispr_portal->ipv4_context = NULL; @@ -201,9 +204,38 @@ static void free_connman_wispr_portal_context( g_free(wp_context); }

+static struct connman_wispr_portal_context * +wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context,

•       const char \*file, int line, const char \*caller)
  

+{

• DBG("%p ref %d by %s:%d:%s()", wp_context,

•   wp\_context->refcount + 1, file, line, caller);
  

• __sync_fetch_and_add(&wp_context->refcount, 1);
• return wp_context; +}

+static void wispr_portal_context_unref_debug(

•   struct connman\_wispr\_portal\_context \*wp\_context,
  

•   const char \*file, int line, const char \*caller)
  

+{

• if (!wp_context)

•   return;
  

• DBG("%p ref %d by %s:%d:%s()", wp_context,

•   wp\_context->refcount - 1, file, line, caller);
  

• if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1)

•   return;
  

• free_connman_wispr_portal_context(wp_context); +}

static struct connman_wispr_portal_context *create_wispr_portal_context(void) { - return g_try_new0(struct connman_wispr_portal_context, 1);

• return wispr_portal_context_ref(

•   g\_new0(struct connman\_wispr\_portal\_context, 1));
  

}

static void free_connman_wispr_portal(gpointer data) @@ -215,8 +247,8 @@ static void free_connman_wispr_portal(gpointer data) if (!wispr_portal) return;

- free_connman_wispr_portal_context(wispr_portal->ipv4_context);

• free_connman_wispr_portal_context(wispr_portal->ipv6_context);

• wispr_portal_context_unref(wispr_portal->ipv4_context);

• wispr_portal_context_unref(wispr_portal->ipv6_context);

  g_free(wispr_portal); } @@ -452,7 +484,7 @@ static void portal_manage_status(GWebResult *result, connman_info("Client-Timezone: %s", str);

  if (!enable_online_to_ready_transition) - free_connman_wispr_portal_context(wp_context);

•   wispr\_portal\_context\_unref(wp\_context);
  

  __connman_service_ipconfig_indicate_state(service, CONNMAN_SERVICE_STATE_ONLINE, type); @@ -616,7 +648,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service, return; }

- free_connman_wispr_portal_context(wp_context);

•   wispr\_portal\_context\_unref(wp\_context);
    return;
  

  }

@@ -952,7 +984,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context)

    if (wp\_context->token == 0) {
        err = -EINVAL;

- free_connman_wispr_portal_context(wp_context);

•       wispr\_portal\_context\_unref(wp\_context);
    }
  

  } else if (wp_context->timeout == 0) { wp_context->timeout = g_idle_add(no_proxy_callback, wp_context); @@ -1001,7 +1033,7 @@ int __connman_wispr_start(struct connman_service *service,

  /* If there is already an existing context, we wipe it */ if (wp_context) - free_connman_wispr_portal_context(wp_context);

•   wispr\_portal\_context\_unref(wp\_context);
  

  wp_context = create_wispr_portal_context(); if (!wp_context) – 2.37.1

next prev parent reply other threads:[~2022-08-01 8:07 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-08-01 8:00 [PATCH 1/6] wispr: Rename wispr_portal_list to wispr_portal_hash Daniel Wagner 2022-08-01 8:00 ` [PATCH 2/6] wispr: Ignore NULL proxy Daniel Wagner 2022-08-01 8:00 ` Daniel Wagner [this message] 2022-08-01 8:00 ` [PATCH 4/6] wispr: Update portal context references Daniel Wagner 2022-08-01 8:00 ` [PATCH 5/6] gweb: Fix OOB write in received_data() Daniel Wagner 2022-08-01 8:00 ` [PATCH 6/6] AUTHORS: Mention Nathan’s contributions Daniel Wagner

Reply instructions:

You may reply publicly to this message via plain-text email using any one of the following methods:

* Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox

Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the –to, –cc, and –in-reply-to switches of git-send-email(1):

git send-email \ –[email protected] \ –[email protected] \ –[email protected] \ –subject=’Re: [PATCH 3/6] wispr: Add reference counter to portal context’ \ /path/to/YOUR_REPLY

https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).