Send connman mailing list submissions to
connman@lists.01.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
connman-requ...@lists.01.org
You can reach the person managing the list at
connman-ow...@lists.01.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. [PATCH] gdhcp: Fix use of dhcp_client after free (Vivien Henriet)
2. [PATCH] gdhcp: Retry to get an IPv4ll ip even after
MAX_CONFLICTS (Vivien Henriet)
----------------------------------------------------------------------
Message: 1
Date: Wed, 12 Sep 2018 13:02:29 +0200
From: Vivien Henriet <v.henr...@overkiz.com>
To: connman@lists.01.org
Subject: [PATCH] gdhcp: Fix use of dhcp_client after free
Message-ID: <20180912110229.23226-1-v.henr...@overkiz.com>
==6439==ERROR: AddressSanitizer: heap-use-after-free on address 0xb3d031f4 at
pc 0x0002a86c bp 0xbe897f7c sp 0xbe897f74
READ of size 4 at 0xb3d031f4 thread T0
#0 0x2a86b (/usr/sbin/connmand+0x2a86b) ./gdhcp/client.c:1542
switch_listening_mode
#1 0x297ff (/usr/sbin/connmand+0x297ff) ./gdhcp/client.c:1392
ipv4ll_stop
#2 0x2a0fb (/usr/sbin/connmand+0x2a0fb) ./gdhcp/client.c:1462
ipv4ll_recv_arp_packet
#3 0x2f537 (/usr/sbin/connmand+0x2f537) ./gdhcp/client.c:2311
listener_event
0xb3d031f4 is located 52 bytes inside of 320-byte region [0xb3d031c0,0xb3d03300)
freed by thread T0 here:
#0 0xb6a18483 in free (/usr/lib/libasan.so.3+0xbe483)
#1 0x36acf (/usr/sbin/connmand+0x36acf) ./gdhcp/client.c:3252
g_dhcp_client_unref
#2 0x136d0b (/usr/sbin/connmand+0x136d0b) ./src/dhcp.c:89
ipv4ll_stop_client
#3 0x1387bb (/usr/sbin/connmand+0x1387bb) ./src/dhcp.c:295
ipv4ll_lost_cb
#4 0x2a0f3 (/usr/sbin/connmand+0x2a0f3) ./gdhcp/client.c:1458
ipv4ll_recv_arp_packet
#5 0x2f537 (/usr/sbin/connmand+0x2f537) ./gdhcp/client.c:2311
listener_event
#6 0xb68a2a33 in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x47a33)
previously allocated by thread T0 here:
#0 0xb6a188ef in calloc (/usr/lib/libasan.so.3+0xbe8ef)
#1 0x27f2f (/usr/sbin/connmand+0x27f2f) ./gdhcp/client.c:1164
#2 0x137f2b (/usr/sbin/connmand+0x137f2b) ./src/dhcp.c:203
#3 0x138603 (/usr/sbin/connmand+0x138603) ./src/dhcp.c:271
#4 0x334c3 (/usr/sbin/connmand+0x334c3) ./gdhcp/client.c:2818
#5 0x31d0f (/usr/sbin/connmand+0x31d0f) ./gdhcp/client.c:2635
#6 0xb68a3677 (/usr/lib/libglib-2.0.so.0+0x48677)
---
gdhcp/client.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/gdhcp/client.c b/gdhcp/client.c
index eb234b65..81ea8706 100644
--- a/gdhcp/client.c
+++ b/gdhcp/client.c
@@ -1532,6 +1532,12 @@ static gboolean request_timeout(gpointer user_data)
return FALSE;
}
+static void listener_watch_destroy(gpointer user_data)
+{
+ GDHCPClient *dhcp_client = user_data;
+ g_dhcp_client_unref(dhcp_client);
+}
+
static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
gpointer user_data);
@@ -1591,8 +1597,8 @@ static int switch_listening_mode(GDHCPClient *dhcp_client,
dhcp_client->listener_watch =
g_io_add_watch_full(listener_channel, G_PRIORITY_HIGH,
G_IO_IN | G_IO_NVAL | G_IO_ERR | G_IO_HUP,
- listener_event, dhcp_client,
- NULL);
+ listener_event,
g_dhcp_client_ref(dhcp_client),
+
listener_watch_destroy);
g_io_channel_unref(listener_channel);
return 0;
--
2.17.1
------------------------------
Message: 2
Date: Wed, 12 Sep 2018 14:15:54 +0200
From: Vivien Henriet <v.henr...@overkiz.com>
To: connman@lists.01.org
Subject: [PATCH] gdhcp: Retry to get an IPv4ll ip even after
MAX_CONFLICTS
Message-ID: <20180912121554.17179-1-v.henr...@overkiz.com>
There is no reason to stop retry after MAX_CONFLICTS (10) tries.
Do so will make the device unable to retrieve an IPv4ll ip on large network.
The commit will make connman retry forever until it eventually got a non
conflicting ip, honnoring the RATE_LIMIT_INTERVAL.
---
gdhcp/client.c | 28 +++++++++++++---------------
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/gdhcp/client.c b/gdhcp/client.c
index eb234b65..bcb34d29 100644
--- a/gdhcp/client.c
+++ b/gdhcp/client.c
@@ -1416,6 +1416,7 @@ static int ipv4ll_recv_arp_packet(GDHCPClient
*dhcp_client)
uint32_t ip_requested;
int source_conflict;
int target_conflict;
+ guint timeout_ms;
memset(&arp, 0, sizeof(arp));
bytes = read(dhcp_client->listener_sockfd, &arp, sizeof(arp));
@@ -1464,23 +1465,20 @@ static int ipv4ll_recv_arp_packet(GDHCPClient
*dhcp_client)
ipv4ll_stop(dhcp_client);
- if (dhcp_client->conflicts < MAX_CONFLICTS) {
- /*restart whole state machine*/
- dhcp_client->retry_times++;
- dhcp_client->timeout =
- g_timeout_add_full(G_PRIORITY_HIGH,
-
__connman_util_random_delay_ms(PROBE_WAIT),
- send_probe_packet,
- dhcp_client,
- NULL);
- }
- /* Here we got a lot of conflicts, RFC3927 states that we have
+ /* If we got a lot of conflicts, RFC3927 states that we have
* to wait RATE_LIMIT_INTERVAL before retrying,
- * but we just report failure.
*/
- else if (dhcp_client->no_lease_cb)
- dhcp_client->no_lease_cb(dhcp_client,
- dhcp_client->no_lease_data);
+ if (dhcp_client->conflicts < MAX_CONFLICTS)
+ timeout_ms = __connman_util_random_delay_ms(PROBE_WAIT);
+ else
+ timeout_ms = RATE_LIMIT_INTERVAL * 1000;
+ dhcp_client->retry_times++;
+ dhcp_client->timeout =
+ g_timeout_add_full(G_PRIORITY_HIGH,
+ timeout_ms,
+ send_probe_packet,
+ dhcp_client,
+ NULL);
return 0;
}
--
2.17.1
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
connman@lists.01.org
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 35, Issue 2
**************************************
