Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via email, send a message with subject or
body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. [PATCH] wispr: prevent use-after-free from agent browser request
(John Keeping)
2. [PATCH] plugins/ethernet: fix strncpy errors with GCC>9.1
(Nicola Lunghi)
----------------------------------------------------------------------
Date: Wed, 16 Oct 2019 13:24:27 +0100
From: John Keeping <[email protected]>
Subject: [PATCH] wispr: prevent use-after-free from agent browser
request
To: [email protected]
Cc: John Keeping <[email protected]>
Message-ID: <[email protected]>
Agent requests take a reference on the service object, but this doesn't
guarantee that the wispr context is kept alive. When we get a callback,
lookup the context from first principles and verify that the object
we've been given is still a context on the given service.
This prevents a use-after-free on the wispr context pointer if the agent
takes a long time to respond (or fails to respond resulting in a DBus
timeout) and the context is freed before that response arrives.
---
This is the smallest change which solves this problem, but I'm not sure
if it would be better to make more widespread changes in the agent
handling code to better track and cancel agent requests that don't
relate directly to a service.
src/wispr.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/wispr.c b/src/wispr.c
index 473c0e03..41157580 100644
--- a/src/wispr.c
+++ b/src/wispr.c
@@ -555,12 +555,31 @@ static void wispr_portal_browser_reply_cb(struct
connman_service *service,
const char *error, void *user_data)
{
struct connman_wispr_portal_context *wp_context = user_data;
+ struct connman_wispr_portal *wispr_portal;
+ int index;
DBG("");
if (!service || !wp_context)
return;
+ /*
+ * No way to cancel this if wp_context has been freed, so we lookup
+ * from the service and check that this is still the right context.
+ */
+ index = __connman_service_get_index(service);
+ if (index < 0)
+ return;
+
+ wispr_portal = g_hash_table_lookup(wispr_portal_list,
+ GINT_TO_POINTER(index));
+ if (!wispr_portal)
+ return;
+
+ if (wp_context != wispr_portal->ipv4_context &&
+ wp_context != wispr_portal->ipv6_context)
+ return;
+
if (!authentication_done) {
wispr_portal_error(wp_context);
free_wispr_routes(wp_context);
--
2.23.0
------------------------------
Date: Wed, 16 Oct 2019 18:01:40 +0100
From: Nicola Lunghi <[email protected]>
Subject: [PATCH] plugins/ethernet: fix strncpy errors with GCC>9.1
To: [email protected]
Cc: Nicola Lunghi <[email protected]>
Message-ID: <[email protected]>
Content-Type: text/plain; charset=UTF-8
From: Nicola Lunghi <[email protected]>
This fixes the following errors:
In function ‘strncpy’,
inlined from ‘get_dsa_port’ at plugins/ethernet.c:102:2:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10:
error: ‘__builtin_strncpy’ specified bound 16 equals destination size
[-Werror=stringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘strncpy’,
inlined from ‘get_dsa_port’ at plugins/ethernet.c:106:2:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10:
error: ‘__builtin_strncpy’ specified bound 24 equals destination size
[-Werror=stringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘strncpy’,
inlined from ‘get_dsa_port’ at plugins/ethernet.c:109:3:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10:
error: ‘__builtin_strncpy’ output may be truncated copying 16 bytes
from a string of length 23 [-Werror=stringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CC plugins/src_connmand-neard.o
CC src/shared/connmand-util.o
CC src/shared/connmand-netlink.o
CC src/shared/connmand-arp.o
In function ‘strncpy’,
inlined from ‘get_vlan_vid’ at plugins/ethernet.c:76:2,
inlined from ‘add_network’ at plugins/ethernet.c:199:9,
inlined from ‘ethernet_newlink’ at plugins/ethernet.c:253:4:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10:
error: ‘__builtin_strncpy’ specified bound 24 equals destination size
[-Werror=stringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Nicola Lunghi <[email protected]>
---
plugins/ethernet.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/plugins/ethernet.c b/plugins/ethernet.c
index b0395c83..6ceb2266 100644
--- a/plugins/ethernet.c
+++ b/plugins/ethernet.c
@@ -73,7 +73,7 @@ static int get_vlan_vid(const char *ifname)
return -errno;
vifr.cmd = GET_VLAN_VID_CMD;
- strncpy(vifr.device1, ifname, sizeof(vifr.device1));
+ strncpy(vifr.device1, ifname, sizeof(vifr.device1) - 1);
if(ioctl(sk, SIOCSIFVLAN, &vifr) >= 0)
vid = vifr.u.VID;
@@ -99,14 +99,17 @@ static int get_dsa_port(const char *ifname)
return -errno;
memset(&ifr, 0, sizeof(ifr));
- strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
+ strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name) - 1);
/* check if it is a vlan and get physical interface name*/
vifr.cmd = GET_VLAN_REALDEV_NAME_CMD;
- strncpy(vifr.device1, ifname, sizeof(vifr.device1));
+ strncpy(vifr.device1, ifname, sizeof(vifr.device1) - 1);
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wstringop-truncation"
if(ioctl(sk, SIOCSIFVLAN, &vifr) >= 0)
- strncpy(ifr.ifr_name, vifr.u.device2, sizeof(ifr.ifr_name));
+ strncpy(ifr.ifr_name, vifr.u.device2, sizeof(ifr.ifr_name) - 1);
+#pragma GCC diagnostic pop
/* get driver info */
drvinfocmd.cmd = ETHTOOL_GDRVINFO;
--
2.20.1
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list -- [email protected]
To unsubscribe send an email to [email protected]
------------------------------
End of connman Digest, Vol 48, Issue 22
***************************************
