Send connman mailing list submissions to connman@lists.01.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.01.org/mailman/listinfo/connman or, via email, send a message with subject or body 'help' to connman-requ...@lists.01.org
You can reach the person managing the list at connman-ow...@lists.01.org When replying, please edit your Subject line so it is more specific than "Re: Contents of connman digest..." Today's Topics: 1. [PATCH] gdhcp: Fix use of dhcp_client after free (Vivien Henriet) 2. [PATCH] gdhcp: Retry to get an IPv4ll ip even after MAX_CONFLICTS (Vivien Henriet) ---------------------------------------------------------------------- Message: 1 Date: Wed, 12 Sep 2018 13:02:29 +0200 From: Vivien Henriet <v.henr...@overkiz.com> To: connman@lists.01.org Subject: [PATCH] gdhcp: Fix use of dhcp_client after free Message-ID: <20180912110229.23226-1-v.henr...@overkiz.com> ==6439==ERROR: AddressSanitizer: heap-use-after-free on address 0xb3d031f4 at pc 0x0002a86c bp 0xbe897f7c sp 0xbe897f74 READ of size 4 at 0xb3d031f4 thread T0 #0 0x2a86b (/usr/sbin/connmand+0x2a86b) ./gdhcp/client.c:1542 switch_listening_mode #1 0x297ff (/usr/sbin/connmand+0x297ff) ./gdhcp/client.c:1392 ipv4ll_stop #2 0x2a0fb (/usr/sbin/connmand+0x2a0fb) ./gdhcp/client.c:1462 ipv4ll_recv_arp_packet #3 0x2f537 (/usr/sbin/connmand+0x2f537) ./gdhcp/client.c:2311 listener_event 0xb3d031f4 is located 52 bytes inside of 320-byte region [0xb3d031c0,0xb3d03300) freed by thread T0 here: #0 0xb6a18483 in free (/usr/lib/libasan.so.3+0xbe483) #1 0x36acf (/usr/sbin/connmand+0x36acf) ./gdhcp/client.c:3252 g_dhcp_client_unref #2 0x136d0b (/usr/sbin/connmand+0x136d0b) ./src/dhcp.c:89 ipv4ll_stop_client #3 0x1387bb (/usr/sbin/connmand+0x1387bb) ./src/dhcp.c:295 ipv4ll_lost_cb #4 0x2a0f3 (/usr/sbin/connmand+0x2a0f3) ./gdhcp/client.c:1458 ipv4ll_recv_arp_packet #5 0x2f537 (/usr/sbin/connmand+0x2f537) ./gdhcp/client.c:2311 listener_event #6 0xb68a2a33 in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x47a33) previously allocated by thread T0 here: #0 0xb6a188ef in calloc (/usr/lib/libasan.so.3+0xbe8ef) #1 0x27f2f (/usr/sbin/connmand+0x27f2f) ./gdhcp/client.c:1164 #2 0x137f2b (/usr/sbin/connmand+0x137f2b) ./src/dhcp.c:203 #3 0x138603 (/usr/sbin/connmand+0x138603) ./src/dhcp.c:271 #4 0x334c3 (/usr/sbin/connmand+0x334c3) ./gdhcp/client.c:2818 #5 0x31d0f (/usr/sbin/connmand+0x31d0f) ./gdhcp/client.c:2635 #6 0xb68a3677 (/usr/lib/libglib-2.0.so.0+0x48677) --- gdhcp/client.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/gdhcp/client.c b/gdhcp/client.c index eb234b65..81ea8706 100644 --- a/gdhcp/client.c +++ b/gdhcp/client.c @@ -1532,6 +1532,12 @@ static gboolean request_timeout(gpointer user_data) return FALSE; } +static void listener_watch_destroy(gpointer user_data) +{ + GDHCPClient *dhcp_client = user_data; + g_dhcp_client_unref(dhcp_client); +} + static gboolean listener_event(GIOChannel *channel, GIOCondition condition, gpointer user_data); @@ -1591,8 +1597,8 @@ static int switch_listening_mode(GDHCPClient *dhcp_client, dhcp_client->listener_watch = g_io_add_watch_full(listener_channel, G_PRIORITY_HIGH, G_IO_IN | G_IO_NVAL | G_IO_ERR | G_IO_HUP, - listener_event, dhcp_client, - NULL); + listener_event, g_dhcp_client_ref(dhcp_client), + listener_watch_destroy); g_io_channel_unref(listener_channel); return 0; -- 2.17.1 ------------------------------ Message: 2 Date: Wed, 12 Sep 2018 14:15:54 +0200 From: Vivien Henriet <v.henr...@overkiz.com> To: connman@lists.01.org Subject: [PATCH] gdhcp: Retry to get an IPv4ll ip even after MAX_CONFLICTS Message-ID: <20180912121554.17179-1-v.henr...@overkiz.com> There is no reason to stop retry after MAX_CONFLICTS (10) tries. Do so will make the device unable to retrieve an IPv4ll ip on large network. The commit will make connman retry forever until it eventually got a non conflicting ip, honnoring the RATE_LIMIT_INTERVAL. --- gdhcp/client.c | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/gdhcp/client.c b/gdhcp/client.c index eb234b65..bcb34d29 100644 --- a/gdhcp/client.c +++ b/gdhcp/client.c @@ -1416,6 +1416,7 @@ static int ipv4ll_recv_arp_packet(GDHCPClient *dhcp_client) uint32_t ip_requested; int source_conflict; int target_conflict; + guint timeout_ms; memset(&arp, 0, sizeof(arp)); bytes = read(dhcp_client->listener_sockfd, &arp, sizeof(arp)); @@ -1464,23 +1465,20 @@ static int ipv4ll_recv_arp_packet(GDHCPClient *dhcp_client) ipv4ll_stop(dhcp_client); - if (dhcp_client->conflicts < MAX_CONFLICTS) { - /*restart whole state machine*/ - dhcp_client->retry_times++; - dhcp_client->timeout = - g_timeout_add_full(G_PRIORITY_HIGH, - __connman_util_random_delay_ms(PROBE_WAIT), - send_probe_packet, - dhcp_client, - NULL); - } - /* Here we got a lot of conflicts, RFC3927 states that we have + /* If we got a lot of conflicts, RFC3927 states that we have * to wait RATE_LIMIT_INTERVAL before retrying, - * but we just report failure. */ - else if (dhcp_client->no_lease_cb) - dhcp_client->no_lease_cb(dhcp_client, - dhcp_client->no_lease_data); + if (dhcp_client->conflicts < MAX_CONFLICTS) + timeout_ms = __connman_util_random_delay_ms(PROBE_WAIT); + else + timeout_ms = RATE_LIMIT_INTERVAL * 1000; + dhcp_client->retry_times++; + dhcp_client->timeout = + g_timeout_add_full(G_PRIORITY_HIGH, + timeout_ms, + send_probe_packet, + dhcp_client, + NULL); return 0; } -- 2.17.1 ------------------------------ Subject: Digest Footer _______________________________________________ connman mailing list connman@lists.01.org https://lists.01.org/mailman/listinfo/connman ------------------------------ End of connman Digest, Vol 35, Issue 2 **************************************