Fix a crash if P2P management interface is used (rh #1231973)
Upstream fix: http://w1.fi/cgit/hostap/commit/wpa_supplicant/dbus/dbus_new_handlers.c?id=8a78e227df1ead19be8e12a4108e448887e64d6f https://bugzilla.redhat.com/show_bug.cgi?id=1231973
This commit is contained in:
parent
2ba26b0190
commit
d63c1a7a80
195
rh1231973-dbus-fix-operations-for-p2p-mgmt.patch
Normal file
195
rh1231973-dbus-fix-operations-for-p2p-mgmt.patch
Normal file
@ -0,0 +1,195 @@
|
||||
From 8a78e227df1ead19be8e12a4108e448887e64d6f Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <jouni@qca.qualcomm.com>
|
||||
Date: Wed, 29 Apr 2015 10:13:34 +0000
|
||||
Subject: D-Bus: Fix operations when P2P management interface is used
|
||||
|
||||
Commit 21efc940f6e7f07b84b7e5c5867f3d81594c4fb0 ('wpa_supplicant: Do not
|
||||
register a P2P management interface on DBus') hides the special P2P
|
||||
management interface from D-Bus. However, it did not take into account
|
||||
the possibility of wpa_s->dbus_path and wpa_s->dbus_new_path being NULL
|
||||
in such cases on number of code paths within the D-Bus handlers. This
|
||||
could result in invalid arguments (NULL path) being provided to D-Bus
|
||||
functions (mainly, dbus_message_iter_append_basic) and NULL pointer
|
||||
dereference when iterating over all interfaces. Either of these could
|
||||
make wpa_supplicant process terminate.
|
||||
|
||||
Fix this by explicitly checking that the interface-specific D-Bus path
|
||||
has been registered before using it anywhere with D-Bus handlers. In
|
||||
addition, find the correct wpa_s instance to fix P2P operations through
|
||||
D-Bus when the P2P Device interface is used.
|
||||
|
||||
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
||||
---
|
||||
(limited to 'wpa_supplicant/dbus/dbus_new_handlers.c')
|
||||
|
||||
diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c
|
||||
index d695d1b..3f5fd0a 100644
|
||||
--- a/wpa_supplicant/dbus/dbus_new_handlers.c
|
||||
+++ b/wpa_supplicant/dbus/dbus_new_handlers.c
|
||||
@@ -157,7 +157,8 @@ static struct wpa_supplicant * get_iface_by_dbus_path(
|
||||
struct wpa_supplicant *wpa_s;
|
||||
|
||||
for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) {
|
||||
- if (os_strcmp(wpa_s->dbus_new_path, path) == 0)
|
||||
+ if (wpa_s->dbus_new_path &&
|
||||
+ os_strcmp(wpa_s->dbus_new_path, path) == 0)
|
||||
return wpa_s;
|
||||
}
|
||||
return NULL;
|
||||
@@ -600,7 +601,7 @@ DBusMessage * wpas_dbus_handler_create_interface(DBusMessage *message,
|
||||
iface.bridge_ifname = bridge_ifname;
|
||||
/* Otherwise, have wpa_supplicant attach to it. */
|
||||
wpa_s = wpa_supplicant_add_iface(global, &iface, NULL);
|
||||
- if (wpa_s) {
|
||||
+ if (wpa_s && wpa_s->dbus_new_path) {
|
||||
const char *path = wpa_s->dbus_new_path;
|
||||
|
||||
reply = dbus_message_new_method_return(message);
|
||||
@@ -684,7 +685,7 @@ DBusMessage * wpas_dbus_handler_get_interface(DBusMessage *message,
|
||||
DBUS_TYPE_INVALID);
|
||||
|
||||
wpa_s = wpa_supplicant_get_iface(global, ifname);
|
||||
- if (wpa_s == NULL)
|
||||
+ if (wpa_s == NULL || wpa_s->dbus_new_path == NULL)
|
||||
return wpas_dbus_error_iface_unknown(message);
|
||||
|
||||
path = wpa_s->dbus_new_path;
|
||||
@@ -876,8 +877,10 @@ dbus_bool_t wpas_dbus_getter_interfaces(DBusMessageIter *iter,
|
||||
unsigned int i = 0, num = 0;
|
||||
dbus_bool_t success;
|
||||
|
||||
- for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next)
|
||||
- num++;
|
||||
+ for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) {
|
||||
+ if (wpa_s->dbus_new_path)
|
||||
+ num++;
|
||||
+ }
|
||||
|
||||
paths = os_calloc(num, sizeof(char *));
|
||||
if (!paths) {
|
||||
@@ -885,8 +888,10 @@ dbus_bool_t wpas_dbus_getter_interfaces(DBusMessageIter *iter,
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
- for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next)
|
||||
- paths[i++] = wpa_s->dbus_new_path;
|
||||
+ for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) {
|
||||
+ if (wpa_s->dbus_new_path)
|
||||
+ paths[i++] = wpa_s->dbus_new_path;
|
||||
+ }
|
||||
|
||||
success = wpas_dbus_simple_array_property_getter(iter,
|
||||
DBUS_TYPE_OBJECT_PATH,
|
||||
@@ -1478,7 +1483,8 @@ DBusMessage * wpas_dbus_handler_add_network(DBusMessage *message,
|
||||
|
||||
dbus_message_iter_init(message, &iter);
|
||||
|
||||
- ssid = wpa_config_add_network(wpa_s->conf);
|
||||
+ if (wpa_s->dbus_new_path)
|
||||
+ ssid = wpa_config_add_network(wpa_s->conf);
|
||||
if (ssid == NULL) {
|
||||
wpa_printf(MSG_ERROR, "%s[dbus]: can't add new interface.",
|
||||
__func__);
|
||||
@@ -1602,7 +1608,7 @@ DBusMessage * wpas_dbus_handler_remove_network(DBusMessage *message,
|
||||
iface = wpas_dbus_new_decompose_object_path(op,
|
||||
WPAS_DBUS_NEW_NETWORKS_PART,
|
||||
&net_id);
|
||||
- if (iface == NULL || net_id == NULL ||
|
||||
+ if (iface == NULL || net_id == NULL || !wpa_s->dbus_new_path ||
|
||||
os_strcmp(iface, wpa_s->dbus_new_path) != 0) {
|
||||
reply = wpas_dbus_error_invalid_args(message, op);
|
||||
goto out;
|
||||
@@ -1715,7 +1721,7 @@ DBusMessage * wpas_dbus_handler_select_network(DBusMessage *message,
|
||||
iface = wpas_dbus_new_decompose_object_path(op,
|
||||
WPAS_DBUS_NEW_NETWORKS_PART,
|
||||
&net_id);
|
||||
- if (iface == NULL || net_id == NULL ||
|
||||
+ if (iface == NULL || net_id == NULL || !wpa_s->dbus_new_path ||
|
||||
os_strcmp(iface, wpa_s->dbus_new_path) != 0) {
|
||||
reply = wpas_dbus_error_invalid_args(message, op);
|
||||
goto out;
|
||||
@@ -1773,7 +1779,7 @@ DBusMessage * wpas_dbus_handler_network_reply(DBusMessage *message,
|
||||
iface = wpas_dbus_new_decompose_object_path(op,
|
||||
WPAS_DBUS_NEW_NETWORKS_PART,
|
||||
&net_id);
|
||||
- if (iface == NULL || net_id == NULL ||
|
||||
+ if (iface == NULL || net_id == NULL || !wpa_s->dbus_new_path ||
|
||||
os_strcmp(iface, wpa_s->dbus_new_path) != 0) {
|
||||
reply = wpas_dbus_error_invalid_args(message, op);
|
||||
goto out;
|
||||
@@ -2266,12 +2272,14 @@ DBusMessage * wpas_dbus_handler_set_pkcs11_engine_and_module_path(
|
||||
message, DBUS_ERROR_FAILED,
|
||||
"Reinit of the EAPOL state machine with the new PKCS #11 engine and module path failed.");
|
||||
|
||||
- wpa_dbus_mark_property_changed(
|
||||
- wpa_s->global->dbus, wpa_s->dbus_new_path,
|
||||
- WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11EnginePath");
|
||||
- wpa_dbus_mark_property_changed(
|
||||
- wpa_s->global->dbus, wpa_s->dbus_new_path,
|
||||
- WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11ModulePath");
|
||||
+ if (wpa_s->dbus_new_path) {
|
||||
+ wpa_dbus_mark_property_changed(
|
||||
+ wpa_s->global->dbus, wpa_s->dbus_new_path,
|
||||
+ WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11EnginePath");
|
||||
+ wpa_dbus_mark_property_changed(
|
||||
+ wpa_s->global->dbus, wpa_s->dbus_new_path,
|
||||
+ WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11ModulePath");
|
||||
+ }
|
||||
|
||||
return NULL;
|
||||
}
|
||||
@@ -3024,7 +3032,7 @@ dbus_bool_t wpas_dbus_getter_current_bss(DBusMessageIter *iter,
|
||||
struct wpa_supplicant *wpa_s = user_data;
|
||||
char path_buf[WPAS_DBUS_OBJECT_PATH_MAX], *bss_obj_path = path_buf;
|
||||
|
||||
- if (wpa_s->current_bss)
|
||||
+ if (wpa_s->current_bss && wpa_s->dbus_new_path)
|
||||
os_snprintf(bss_obj_path, WPAS_DBUS_OBJECT_PATH_MAX,
|
||||
"%s/" WPAS_DBUS_NEW_BSSIDS_PART "/%u",
|
||||
wpa_s->dbus_new_path, wpa_s->current_bss->id);
|
||||
@@ -3052,7 +3060,7 @@ dbus_bool_t wpas_dbus_getter_current_network(DBusMessageIter *iter,
|
||||
struct wpa_supplicant *wpa_s = user_data;
|
||||
char path_buf[WPAS_DBUS_OBJECT_PATH_MAX], *net_obj_path = path_buf;
|
||||
|
||||
- if (wpa_s->current_ssid)
|
||||
+ if (wpa_s->current_ssid && wpa_s->dbus_new_path)
|
||||
os_snprintf(net_obj_path, WPAS_DBUS_OBJECT_PATH_MAX,
|
||||
"%s/" WPAS_DBUS_NEW_NETWORKS_PART "/%u",
|
||||
wpa_s->dbus_new_path, wpa_s->current_ssid->id);
|
||||
@@ -3140,6 +3148,12 @@ dbus_bool_t wpas_dbus_getter_bsss(DBusMessageIter *iter, DBusError *error,
|
||||
unsigned int i = 0;
|
||||
dbus_bool_t success = FALSE;
|
||||
|
||||
+ if (!wpa_s->dbus_new_path) {
|
||||
+ dbus_set_error(error, DBUS_ERROR_FAILED,
|
||||
+ "%s: no D-Bus interface", __func__);
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
paths = os_calloc(wpa_s->num_bss, sizeof(char *));
|
||||
if (!paths) {
|
||||
dbus_set_error_const(error, DBUS_ERROR_NO_MEMORY, "no memory");
|
||||
@@ -3191,6 +3205,12 @@ dbus_bool_t wpas_dbus_getter_networks(DBusMessageIter *iter, DBusError *error,
|
||||
unsigned int i = 0, num = 0;
|
||||
dbus_bool_t success = FALSE;
|
||||
|
||||
+ if (!wpa_s->dbus_new_path) {
|
||||
+ dbus_set_error(error, DBUS_ERROR_FAILED,
|
||||
+ "%s: no D-Bus interface", __func__);
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next)
|
||||
if (!network_is_persistent_group(ssid))
|
||||
num++;
|
||||
@@ -4104,7 +4124,7 @@ void wpas_dbus_signal_preq(struct wpa_supplicant *wpa_s,
|
||||
struct wpas_dbus_priv *priv = wpa_s->global->dbus;
|
||||
|
||||
/* Do nothing if the control interface is not turned on */
|
||||
- if (priv == NULL)
|
||||
+ if (priv == NULL || !wpa_s->dbus_new_path)
|
||||
return;
|
||||
|
||||
if (wpa_s->preq_notify_peer == NULL)
|
||||
--
|
||||
cgit v0.9.2
|
@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
|
||||
Name: wpa_supplicant
|
||||
Epoch: 1
|
||||
Version: 2.4
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: BSD
|
||||
Group: System Environment/Base
|
||||
Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
|
||||
@ -38,6 +38,9 @@ Patch8: rh837402-less-aggressive-roaming.patch
|
||||
# CVE-2015-1863, backport from upstream master, will be in 2.5
|
||||
# http://w1.fi/cgit/hostap/commit/?id=9ed4eee345f85e3025c33c6e20aa25696e341ccd
|
||||
Patch9: 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
|
||||
# Fix a crash - rh #1231973
|
||||
# http://w1.fi/cgit/hostap/commit/wpa_supplicant/dbus/dbus_new_handlers.c?id=8a78e227df1ead19be8e12a4108e448887e64d6f
|
||||
Patch10: rh1231973-dbus-fix-operations-for-p2p-mgmt.patch
|
||||
|
||||
URL: http://w1.fi/wpa_supplicant/
|
||||
|
||||
@ -89,6 +92,7 @@ Graphical User Interface for wpa_supplicant written using QT
|
||||
%patch6 -p1 -b .qt4
|
||||
%patch8 -p1 -b .rh837402-less-aggressive-roaming
|
||||
%patch9 -p1 -b .cve-2015-1863
|
||||
%patch10 -p1 -b .rh1231973-dbus-fix-operations-for-p2p-mgmt
|
||||
|
||||
%build
|
||||
pushd wpa_supplicant
|
||||
@ -203,6 +207,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jun 16 2015 Jiří Klimeš <jklimes@redhat.com> - 1:2.4-3
|
||||
- Fix a crash if P2P management interface is used (rh #1231973)
|
||||
|
||||
* Thu Apr 23 2015 Dan Williams <dcbw@redhat.com> - 1:2.4-2
|
||||
- Remove obsolete wpa_supplicant-openssl-more-algs.patch
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user