Fix a crash if P2P management interface is used (rh #1231973)

Upstream fix:
http://w1.fi/cgit/hostap/commit/wpa_supplicant/dbus/dbus_new_handlers.c?id=8a78e227df1ead19be8e12a4108e448887e64d6f

https://bugzilla.redhat.com/show_bug.cgi?id=1231973

rh1231973-dbus-fix-operations-for-p2p-mgmt.patch

@@ -0,0 +1,195 @@
+From 8a78e227df1ead19be8e12a4108e448887e64d6f Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Wed, 29 Apr 2015 10:13:34 +0000
+Subject: D-Bus: Fix operations when P2P management interface is used
+
+Commit 21efc940f6e7f07b84b7e5c5867f3d81594c4fb0 ('wpa_supplicant: Do not
+register a P2P management interface on DBus') hides the special P2P
+management interface from D-Bus. However, it did not take into account
+the possibility of wpa_s->dbus_path and wpa_s->dbus_new_path being NULL
+in such cases on number of code paths within the D-Bus handlers. This
+could result in invalid arguments (NULL path) being provided to D-Bus
+functions (mainly, dbus_message_iter_append_basic) and NULL pointer
+dereference when iterating over all interfaces. Either of these could
+make wpa_supplicant process terminate.
+
+Fix this by explicitly checking that the interface-specific D-Bus path
+has been registered before using it anywhere with D-Bus handlers. In
+addition, find the correct wpa_s instance to fix P2P operations through
+D-Bus when the P2P Device interface is used.
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+---
+(limited to 'wpa_supplicant/dbus/dbus_new_handlers.c')
+
+diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c
+index d695d1b..3f5fd0a 100644
+--- a/wpa_supplicant/dbus/dbus_new_handlers.c
++++ b/wpa_supplicant/dbus/dbus_new_handlers.c
+@@ -157,7 +157,8 @@ static struct wpa_supplicant * get_iface_by_dbus_path(
+ 	struct wpa_supplicant *wpa_s;
+ 
+ 	for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) {
+-		if (os_strcmp(wpa_s->dbus_new_path, path) == 0)
++		if (wpa_s->dbus_new_path &&
++		    os_strcmp(wpa_s->dbus_new_path, path) == 0)
+ 			return wpa_s;
+ 	}
+ 	return NULL;
+@@ -600,7 +601,7 @@ DBusMessage * wpas_dbus_handler_create_interface(DBusMessage *message,
+ 		iface.bridge_ifname = bridge_ifname;
+ 		/* Otherwise, have wpa_supplicant attach to it. */
+ 		wpa_s = wpa_supplicant_add_iface(global, &iface, NULL);
+-		if (wpa_s) {
++		if (wpa_s && wpa_s->dbus_new_path) {
+ 			const char *path = wpa_s->dbus_new_path;
+ 
+ 			reply = dbus_message_new_method_return(message);
+@@ -684,7 +685,7 @@ DBusMessage * wpas_dbus_handler_get_interface(DBusMessage *message,
+ 			      DBUS_TYPE_INVALID);
+ 
+ 	wpa_s = wpa_supplicant_get_iface(global, ifname);
+-	if (wpa_s == NULL)
++	if (wpa_s == NULL || wpa_s->dbus_new_path == NULL)
+ 		return wpas_dbus_error_iface_unknown(message);
+ 
+ 	path = wpa_s->dbus_new_path;
+@@ -876,8 +877,10 @@ dbus_bool_t wpas_dbus_getter_interfaces(DBusMessageIter *iter,
+ 	unsigned int i = 0, num = 0;
+ 	dbus_bool_t success;
+ 
+-	for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next)
+-		num++;
++	for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) {
++		if (wpa_s->dbus_new_path)
++			num++;
++	}
+ 
+ 	paths = os_calloc(num, sizeof(char *));
+ 	if (!paths) {
+@@ -885,8 +888,10 @@ dbus_bool_t wpas_dbus_getter_interfaces(DBusMessageIter *iter,
+ 		return FALSE;
+ 	}
+ 
+-	for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next)
+-		paths[i++] = wpa_s->dbus_new_path;
++	for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) {
++		if (wpa_s->dbus_new_path)
++			paths[i++] = wpa_s->dbus_new_path;
++	}
+ 
+ 	success = wpas_dbus_simple_array_property_getter(iter,
+ 							 DBUS_TYPE_OBJECT_PATH,
+@@ -1478,7 +1483,8 @@ DBusMessage * wpas_dbus_handler_add_network(DBusMessage *message,
+ 
+ 	dbus_message_iter_init(message, &iter);
+ 
+-	ssid = wpa_config_add_network(wpa_s->conf);
++	if (wpa_s->dbus_new_path)
++		ssid = wpa_config_add_network(wpa_s->conf);
+ 	if (ssid == NULL) {
+ 		wpa_printf(MSG_ERROR, "%s[dbus]: can't add new interface.",
+ 			   __func__);
+@@ -1602,7 +1608,7 @@ DBusMessage * wpas_dbus_handler_remove_network(DBusMessage *message,
+ 	iface = wpas_dbus_new_decompose_object_path(op,
+ 						    WPAS_DBUS_NEW_NETWORKS_PART,
+ 						    &net_id);
+-	if (iface == NULL || net_id == NULL ||
++	if (iface == NULL || net_id == NULL || !wpa_s->dbus_new_path ||
+ 	    os_strcmp(iface, wpa_s->dbus_new_path) != 0) {
+ 		reply = wpas_dbus_error_invalid_args(message, op);
+ 		goto out;
+@@ -1715,7 +1721,7 @@ DBusMessage * wpas_dbus_handler_select_network(DBusMessage *message,
+ 	iface = wpas_dbus_new_decompose_object_path(op,
+ 						    WPAS_DBUS_NEW_NETWORKS_PART,
+ 						    &net_id);
+-	if (iface == NULL || net_id == NULL ||
++	if (iface == NULL || net_id == NULL || !wpa_s->dbus_new_path ||
+ 	    os_strcmp(iface, wpa_s->dbus_new_path) != 0) {
+ 		reply = wpas_dbus_error_invalid_args(message, op);
+ 		goto out;
+@@ -1773,7 +1779,7 @@ DBusMessage * wpas_dbus_handler_network_reply(DBusMessage *message,
+ 	iface = wpas_dbus_new_decompose_object_path(op,
+ 						    WPAS_DBUS_NEW_NETWORKS_PART,
+ 						    &net_id);
+-	if (iface == NULL || net_id == NULL ||
++	if (iface == NULL || net_id == NULL || !wpa_s->dbus_new_path ||
+ 	    os_strcmp(iface, wpa_s->dbus_new_path) != 0) {
+ 		reply = wpas_dbus_error_invalid_args(message, op);
+ 		goto out;
+@@ -2266,12 +2272,14 @@ DBusMessage * wpas_dbus_handler_set_pkcs11_engine_and_module_path(
+ 			message, DBUS_ERROR_FAILED,
+ 			"Reinit of the EAPOL state machine with the new PKCS #11 engine and module path failed.");
+ 
+-	wpa_dbus_mark_property_changed(
+-		wpa_s->global->dbus, wpa_s->dbus_new_path,
+-		WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11EnginePath");
+-	wpa_dbus_mark_property_changed(
+-		wpa_s->global->dbus, wpa_s->dbus_new_path,
+-		WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11ModulePath");
++	if (wpa_s->dbus_new_path) {
++		wpa_dbus_mark_property_changed(
++			wpa_s->global->dbus, wpa_s->dbus_new_path,
++			WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11EnginePath");
++		wpa_dbus_mark_property_changed(
++			wpa_s->global->dbus, wpa_s->dbus_new_path,
++			WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11ModulePath");
++	}
+ 
+ 	return NULL;
+ }
+@@ -3024,7 +3032,7 @@ dbus_bool_t wpas_dbus_getter_current_bss(DBusMessageIter *iter,
+ 	struct wpa_supplicant *wpa_s = user_data;
+ 	char path_buf[WPAS_DBUS_OBJECT_PATH_MAX], *bss_obj_path = path_buf;
+ 
+-	if (wpa_s->current_bss)
++	if (wpa_s->current_bss && wpa_s->dbus_new_path)
+ 		os_snprintf(bss_obj_path, WPAS_DBUS_OBJECT_PATH_MAX,
+ 			    "%s/" WPAS_DBUS_NEW_BSSIDS_PART "/%u",
+ 			    wpa_s->dbus_new_path, wpa_s->current_bss->id);
+@@ -3052,7 +3060,7 @@ dbus_bool_t wpas_dbus_getter_current_network(DBusMessageIter *iter,
+ 	struct wpa_supplicant *wpa_s = user_data;
+ 	char path_buf[WPAS_DBUS_OBJECT_PATH_MAX], *net_obj_path = path_buf;
+ 
+-	if (wpa_s->current_ssid)
++	if (wpa_s->current_ssid && wpa_s->dbus_new_path)
+ 		os_snprintf(net_obj_path, WPAS_DBUS_OBJECT_PATH_MAX,
+ 			    "%s/" WPAS_DBUS_NEW_NETWORKS_PART "/%u",
+ 			    wpa_s->dbus_new_path, wpa_s->current_ssid->id);
+@@ -3140,6 +3148,12 @@ dbus_bool_t wpas_dbus_getter_bsss(DBusMessageIter *iter, DBusError *error,
+ 	unsigned int i = 0;
+ 	dbus_bool_t success = FALSE;
+ 
++	if (!wpa_s->dbus_new_path) {
++		dbus_set_error(error, DBUS_ERROR_FAILED,
++			       "%s: no D-Bus interface", __func__);
++		return FALSE;
++	}
++
+ 	paths = os_calloc(wpa_s->num_bss, sizeof(char *));
+ 	if (!paths) {
+ 		dbus_set_error_const(error, DBUS_ERROR_NO_MEMORY, "no memory");
+@@ -3191,6 +3205,12 @@ dbus_bool_t wpas_dbus_getter_networks(DBusMessageIter *iter, DBusError *error,
+ 	unsigned int i = 0, num = 0;
+ 	dbus_bool_t success = FALSE;
+ 
++	if (!wpa_s->dbus_new_path) {
++		dbus_set_error(error, DBUS_ERROR_FAILED,
++			       "%s: no D-Bus interface", __func__);
++		return FALSE;
++	}
++
+ 	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next)
+ 		if (!network_is_persistent_group(ssid))
+ 			num++;
+@@ -4104,7 +4124,7 @@ void wpas_dbus_signal_preq(struct wpa_supplicant *wpa_s,
+ 	struct wpas_dbus_priv *priv = wpa_s->global->dbus;
+ 
+ 	/* Do nothing if the control interface is not turned on */
+-	if (priv == NULL)
++	if (priv == NULL || !wpa_s->dbus_new_path)
+ 		return;
+ 
+ 	if (wpa_s->preq_notify_peer == NULL)
+--
+cgit v0.9.2

wpa_supplicant.spec

@@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
 Name: wpa_supplicant
 Epoch: 1
 Version: 2.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: BSD
 Group: System Environment/Base
 Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
@@ -38,6 +38,9 @@ Patch8: rh837402-less-aggressive-roaming.patch
 # CVE-2015-1863, backport from upstream master, will be in 2.5
 # http://w1.fi/cgit/hostap/commit/?id=9ed4eee345f85e3025c33c6e20aa25696e341ccd
 Patch9: 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
+# Fix a crash - rh #1231973
+# http://w1.fi/cgit/hostap/commit/wpa_supplicant/dbus/dbus_new_handlers.c?id=8a78e227df1ead19be8e12a4108e448887e64d6f
+Patch10: rh1231973-dbus-fix-operations-for-p2p-mgmt.patch
 
 URL: http://w1.fi/wpa_supplicant/
 
@@ -89,6 +92,7 @@ Graphical User Interface for wpa_supplicant written using QT
 %patch6 -p1 -b .qt4
 %patch8 -p1 -b .rh837402-less-aggressive-roaming
 %patch9 -p1 -b .cve-2015-1863
+%patch10 -p1 -b .rh1231973-dbus-fix-operations-for-p2p-mgmt
 
 %build
 pushd wpa_supplicant
@@ -203,6 +207,9 @@ fi
 %endif
 
 %changelog
+* Tue Jun 16 2015 Jiří Klimeš <jklimes@redhat.com> - 1:2.4-3
+- Fix a crash if P2P management interface is used (rh #1231973)
+
 * Thu Apr 23 2015 Dan Williams <dcbw@redhat.com> - 1:2.4-2
 - Remove obsolete wpa_supplicant-openssl-more-algs.patch