Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. [PATCH] tethering: fix use after free. (Mickael GARDET)
----------------------------------------------------------------------
Message: 1
Date: Wed, 21 Aug 2019 15:32:18 +0200
From: Mickael GARDET <[email protected]>
To: "[email protected] >> [email protected]"
<[email protected]>
Subject: [PATCH] tethering: fix use after free.
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8
methods of reproducing:
in loop
1) connmanctl tether wifi on my_ssid my_pasword
2) connecting client
3) connmanctl tether wifi off
con[14819.539062] tether: port 1(wlan0) entered disabled state
nmand2[3831]: ../git/src/technology.c:set_property() property Tethering
connmand2[3831]: ../git/plugins/wifi.c:tech_set_tethering()
connmand2[3831]:
../git/src/technology.c:connman_technology_tethering_notify() technology
0xb57006e0 enabled 0
connmand2[3831]:
../git/src/tethering.c:__connman_tethering_set_disabled() enabled 0
=================================================================
==3831==ERROR: AddressSanitizer: heap-use-after-free on address
0xb490c370 at pc 0x41c2e9c0 bp 0xbedf7494 sp 0xbedf7060
READ of size 2 at 0xb490c370 thread T0
??? #0 0x41c2e9bf? (/usr/lib/libasan.so.5+0x41c2e9bf)
0xb490c370 is located 0 bytes inside of 18-byte region
[0xb490c370,0xb490c382)
freed by thread T0 here:
??? #0 0x41c73ee7 in free (/usr/lib/libasan.so.5+0x41c73ee7)
??? #1 0x42877473? (/usr/lib/libglib-2.0.so.0+0x42877473)
previously allocated by thread T0 here:
??? #0 0x41c7421b in malloc (/usr/lib/libasan.so.5+0x41c7421b)
??? #1 0x42890b8b in g_malloc (/usr/lib/libglib-2.0.so.0+0x42890b8b)
??? #2 0x9d3a7 in sta_authorized ../git/plugins/wifi.c:3004
??? #3 0xa79eb in callback_sta_authorized
../git/gsupplicant/supplicant.c:626
??? #4 0xc3dd7 in signal_sta_authorized ../git/gsupplicant/supplicant.c:2779
??? #5 0xceb2f in g_supplicant_filter ../git/gsupplicant/supplicant.c:3620
??? #6 0x419fb123 in dbus_connection_dispatch
(/usr/lib/libdbus-1.so.3+0x419fb123)
??? #7 0xb2501d17? (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free
(/usr/lib/libasan.so.5+0x41c2e9bf)
Shadow bytes around the buggy address:
? 0x36921810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
? 0x36921820: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
? 0x36921830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
? 0x36921840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
? 0x36921850: fa fa fa fa fa fa 00 00 00 fa fa fa fa fa fa fa
=>0x36921860: fa fa 00 00 00 00 fa fa fa fa fa fa fa fa[fd]fd
? 0x36921870: fd fa fa fa 00 00 00 00 fa fa fa fa fa fa fa fa
? 0x36921880: fa fa fa fa fa fa 00 00 00 04 fa fa fa fa fa fa
? 0x36921890: fa fa fa fa fa fa fa fa fd fd fd fd fa fa fa fa
? 0x369218a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
? 0x369218b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
? Addressable:?????????? 00
? Partially addressable: 01 02 03 04 05 06 07
? Heap left redzone:?????? fa
? Freed heap region:?????? fd
? Stack left redzone:????? f1
? Stack mid redzone:?????? f2
? Stack right redzone:???? f3
? Stack after return:????? f5
? Stack use after scope:?? f8
? Global redzone:????????? f9
? Global init order:?????? f6
? Poisoned by user:??????? f7
? Container overflow:????? fc
? Array cookie:??????????? ac
? Intra object redzone:??? bb
? ASan internal:?????????? fe
? Left alloca redzone:???? ca
? Right alloca redzone:??? cb
==3831==ABORTING
---
?src/tethering.c | 3 ++-
?1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/tethering.c b/src/tethering.c
index e04756ff..8386ec90 100644
--- a/src/tethering.c
+++ b/src/tethering.c
@@ -637,8 +637,8 @@ void __connman_tethering_client_register(const char
*addr)
?
?void __connman_tethering_client_unregister(const char *addr)
?{
-??? g_hash_table_remove(clients_table, addr);
???? client_removed(addr);
+??? g_hash_table_remove(clients_table, addr);
?}
?
?int __connman_tethering_init(void)
@@ -682,6 +682,7 @@ void __connman_tethering_cleanup(void)
???? g_hash_table_destroy(pn_hash);
?
???? g_hash_table_destroy(clients_notify->remove);
+??? clients_notify->remove = NULL;
???? g_free(clients_notify);
???? clients_notify = NULL;
?
--
2.21.0
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
[email protected]
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 46, Issue 21
***************************************
