From 7b60501ccc74b7e41720c177e2b25a002f64126e Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Tue, 3 May 2011 11:37:42 -0500 Subject: [PATCH] Don't crash when trying to access invalid properties via D-Bus (rh #678625) --- wpa_supplicant-dbus-null-error.patch | 47 ++++++++++++++++++++++++++++ wpa_supplicant.spec | 8 ++++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 wpa_supplicant-dbus-null-error.patch diff --git a/wpa_supplicant-dbus-null-error.patch b/wpa_supplicant-dbus-null-error.patch new file mode 100644 index 0000000..ede6006 --- /dev/null +++ b/wpa_supplicant-dbus-null-error.patch @@ -0,0 +1,47 @@ +commit 8ee69e06336d65b15364f4db82d91775d0fe47c6 +Author: Paul Stewart +Date: Sat Oct 9 17:29:51 2010 +0300 + + dbus_new_handlers: Don't send NULL to dbus_message_new_error + + The new DBus API helper function wpas_dbus_error_unknown_error + function can be called as a result of a failure within internal + getter calls, which will call this function with a NULL message + parameter. However, dbus_message_new_error looks very unkindly + (i.e, abort()) on a NULL message, so in this case, we should not + call it. + + I've observed this course of events during a call to + wpas_dbus_getter_bss_wpa with a faileld parse of the IE parameter. + We got here through a call to fill_dict_with_properties which + explicitly calls getters with a NULL message parameter. Judging + from the way it is called, this could easily occur if an AP sends + out a malformed (or mis-received) probe response. I usually run + into this problem while driving through San Francisco, so I'm + exposed to any number of base stations along this path. + +diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c +index 73f4e44..0ad51a0 100644 +--- a/wpa_supplicant/dbus/dbus_new_handlers.c ++++ b/wpa_supplicant/dbus/dbus_new_handlers.c +@@ -117,6 +117,20 @@ static char * wpas_dbus_new_decompose_object_path(const char *path, + DBusMessage * wpas_dbus_error_unknown_error(DBusMessage *message, + const char *arg) + { ++ /* ++ * This function can be called as a result of a failure ++ * within internal getter calls, which will call this function ++ * with a NULL message parameter. However, dbus_message_new_error ++ * looks very unkindly (i.e, abort()) on a NULL message, so ++ * in this case, we should not call it. ++ */ ++ if (message == NULL) { ++ wpa_printf(MSG_INFO, "dbus: wpas_dbus_error_unknown_error " ++ "called with NULL message (arg=%s)", ++ arg ? arg : "N/A"); ++ return NULL; ++ } ++ + return dbus_message_new_error(message, WPAS_DBUS_ERROR_UNKNOWN_ERROR, + arg); + } diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec index 6506838..f0ca4fc 100644 --- a/wpa_supplicant.spec +++ b/wpa_supplicant.spec @@ -2,7 +2,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant Name: wpa_supplicant Epoch: 1 Version: 0.7.3 -Release: 7%{?dist} +Release: 8%{?dist} License: BSD Group: System Environment/Base Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz @@ -35,6 +35,8 @@ Patch5: wpa_supplicant-openssl-more-algs.patch Patch6: wpa_supplicant-gui-qt4.patch # Send PropertyChanged notificationes when the BSS list changes Patch7: wpa_supplicant-bss-changed-prop-notify.patch +# Don't crash trying to pass NULL to dbus +Patch8: wpa_supplicant-dbus-null-error.patch # Dirty hack for WiMAX # http://linuxwimax.org/Download?action=AttachFile&do=get&target=wpa-1.5-README.txt Patch100: wpa_supplicant-0.7.2-generate-libeap-peer.patch @@ -95,6 +97,7 @@ Don't use this unless you know what you're doing. %patch5 -p1 -b .more-openssl-algs %patch6 -p1 -b .qt4 %patch7 -p1 -b .bss-changed-prop-notify +%patch8 -p1 -b .dbus-null %build pushd wpa_supplicant @@ -211,6 +214,9 @@ fi %postun -n libeap -p /sbin/ldconfig %changelog +* Tue May 3 2011 Dan Williams - 1:0.7.3-8 +- Don't crash when trying to access invalid properties via D-Bus (rh #678625) + * Mon May 2 2011 Dan Williams - 1:0.7.3-7 - Make examples read-only to avoid erroneous python dependency (rh #687952)