[PATCH] gsupplicant: Null check DBusMessageIter to avoid abort

Richard Röjfors Wed, 30 Jul 2014 03:23:12 -0700

Depending on how dbus is built it might abort when passing null pointers to it.


This patch checks an iter while parsing dbus errors, the iter might be NULL,
for instance when an operation is aborted.

This trace shows the issue:
0  0xb6c24144 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
1  0xb6c27c0c in __GI_abort () at abort.c:89
2  0xb6e73ca8 in _dbus_abort () at 
/work/my-arch/dbus/1.6.18-r0/dbus-1.6.18/dbus/dbus-sysdeps.c:94
3  0xb6e6b1b8 in _dbus_warn_check_failed (format=0xb6e77d44 "dbus message 
iterator is NULL\n") at 
/work/my-arch/dbus/1.6.18-r0/dbus-1.6.18/dbus/dbus-internals.c:290
4  0xb6e5a728 in _dbus_message_iter_check (iter=0x0) at 
/work/my-arch/dbus/1.6.18-r0/dbus-1.6.18/dbus/dbus-message.c:727
5  0xb6e5b734 in dbus_message_iter_get_arg_type (iter=iter@entry=0x0) at 
/work/my-arch/dbus/1.6.18-r0/dbus-1.6.18/dbus/dbus-message.c:2065
6  0x00025398 in parse_supplicant_error (iter=iter@entry=0x0) at 
gsupplicant/supplicant.c:3799
7  0x00025430 in interface_add_network_result (error=<optimized out>, iter=0x0, 
user_data=0x175b620) at gsupplicant/supplicant.c:3878
8  0x0002adac in supplicant_dbus_method_call_cancel_all 
(caller=caller@entry=0x1739d98) at gsupplicant/dbus.c:445
9  0x00029480 in g_supplicant_interface_cancel 
(interface=interface@entry=0x1739d98) at gsupplicant/supplicant.c:3020
10 0x00029898 in g_supplicant_interface_remove (interface=0x1739d98, 
callback=callback@entry=0x0, user_data=user_data@entry=0x0) at 
gsupplicant/supplicant.c:3487
11 0x00020df0 in wifi_disable (device=0x17306b0) at plugins/wifi.c:1134
12 0x0002f94c in __connman_device_disable (device=0x17306b0) at src/device.c:248
13 0x0005d450 in technology_affect_devices (enable_device=<optimized out>, 
technology=<optimized out>, technology=<optimized out>) at src/technology.c:630
14 0x0005d4d8 in technology_disable (technology=0x1738600) at 
src/technology.c:780
15 0x0005e634 in set_powered (powered=false, msg=0x1732aa0, 
technology=0x1738600) at src/technology.c:802
16 set_property (conn=<optimized out>, msg=0x1732aa0, data=0x1738600) at 
src/technology.c:937
17 0x00077878 in process_message (connection=connection@entry=0x1730440, 
message=message@entry=0x1732aa0, iface_user_data=0x1738600, 
iface_user_data@entry=0x1, method=0x8610c <technology_methods+24>, 
method=0x8610c <technology_methods+24>)
    at gdbus/object.c:259
18 0x00077cb8 in generic_message (connection=0x1730440, 
message=message@entry=0x1732aa0, user_data=user_data@entry=0x173b248) at 
gdbus/object.c:1070
19 0xb6e61260 in _dbus_object_tree_dispatch_and_unlock (tree=0x17301f8, 
message=message@entry=0x1732aa0, found_object=found_object@entry=0xbec56bbc)
    at /work/my-arch/dbus/1.6.18-r0/dbus-1.6.18/dbus/dbus-object-tree.c:862
20 0xb6e51ad0 in dbus_connection_dispatch 
(connection=connection@entry=0x1730440) at 
/work/my-arch/dbus/1.6.18-r0/dbus-1.6.18/dbus/dbus-connection.c:4672
21 0x00074404 in message_dispatch (data=0x1730440) at gdbus/mainloop.c:72
22 0xb6ebf870 in g_idle_dispatch (source=<optimized out>, callback=0x743f4 
<message_dispatch>, user_data=<optimized out>)
    at /work/my-arch/glib-2.0/1_2.38.2-r0/glib-2.38.2/glib/gmain.c:5251
23 0xb6ec2bd4 in g_main_dispatch (context=0x172e028) at 
/work/my-arch/glib-2.0/1_2.38.2-r0/glib-2.38.2/glib/gmain.c:3066
24 g_main_context_dispatch (context=context@entry=0x172e028) at 
/work/my-arch/glib-2.0/1_2.38.2-r0/glib-2.38.2/glib/gmain.c:3642
25 0xb6ec2f60 in g_main_context_iterate (context=0x172e028, 
block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at /work/my-arch/glib-2.0/1_2.38.2-r0/glib-2.38.2/glib/gmain.c:3713
26 0xb6ec3430 in g_main_loop_run (loop=0x172e1e8) at 
/work/my-arch/glib-2.0/1_2.38.2-r0/glib-2.38.2/glib/gmain.c:3907
27 0x000148f8 in main (argc=496656, argv=0x7cc18) at src/main.c:688
---
 gsupplicant/supplicant.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
index 534944b..8c1db01 100644
--- a/gsupplicant/supplicant.c
+++ b/gsupplicant/supplicant.c
@@ -3796,7 +3796,8 @@ static int parse_supplicant_error(DBusMessageIter *iter)
         * "invalid message format" but this error should be interpreted as
         * invalid-key.
         */
-       while (dbus_message_iter_get_arg_type(iter) == DBUS_TYPE_STRING) {
+       while (iter &&
+               dbus_message_iter_get_arg_type(iter) == DBUS_TYPE_STRING) {
                dbus_message_iter_get_basic(iter, &key);
                if (strncmp(key, "psk", 3) == 0 ||
                                strncmp(key, "wep_key", 7) == 0 ||
-- 
1.9.1

_______________________________________________
connman mailing list
[email protected]
https://lists.connman.net/mailman/listinfo/connman

[PATCH] gsupplicant: Null check DBusMessageIter to avoid abort

Reply via email to