Re: [PATCH] D-Bus: fix P2P NULL dereference after interface removal

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Sep 25, 2019 at 07:22:43PM +0200, Davide Caratti wrote:
> when the P2P management interface is deleted, P2P is then disabled and
> global->p2p_init_wpa_s is set to NULL. After that, other interfaces can
> still trigger P2P functions (like wpas_p2p_find()) using d-bus. This
> makes wpa_supplicant terminate with SIGSEGV, because it dereferences a
> NULL pointer: fix this adding proper checks, like it's done with wpa_cli.
> 
> CC: Beniamino Galvani <bgalvani@xxxxxxxxxx>
> CC: Benjamin Berg <benjamin@xxxxxxxxxxxxxxxx>
> Reported-by: Vladimir Benes <vbenes@xxxxxxxxxx>
> Signed-off-by: Davide Caratti <davide.caratti@xxxxxxxxx>
> ---
>  wpa_supplicant/dbus/dbus_new_handlers_p2p.c | 66 ++++++++++++++++++++-
>  1 file changed, 65 insertions(+), 1 deletion(-)
> 
> diff --git a/wpa_supplicant/dbus/dbus_new_handlers_p2p.c b/wpa_supplicant/dbus/dbus_new_handlers_p2p.c
> index 8cdd88564..d476cbd55 100644
> --- a/wpa_supplicant/dbus/dbus_new_handlers_p2p.c
> +++ b/wpa_supplicant/dbus/dbus_new_handlers_p2p.c
> @@ -40,6 +40,14 @@ static int wpas_dbus_validate_dbus_ipaddr(struct wpa_dbus_dict_entry entry)
>  }
>  
>  
> +static dbus_bool_t no_p2p_mgmt_interface(DBusError *error)
> +{
> +	dbus_set_error_const(error, WPAS_DBUS_ERROR_IFACE_UNKNOWN,
> +			     "Could not find P2P mgmt interface");
> +	return FALSE;
> +}
> +
> +
>  /**
>   * Parses out the mac address from the peer object path.
>   * @peer_path - object path of the form
> @@ -78,6 +86,22 @@ wpas_dbus_error_persistent_group_unknown(DBusMessage *message)
>  }
>  
>  
> +/**
> + * wpas_dbus_error_no_p2p_mgmt_iface - Return a new InterfaceUnknown error
> + * message
> + * @message: Pointer to incoming dbus message this error refers to
> + * Returns: a dbus error message
> + *
> + * Convenience function to create and return an unknown interface error.
> + */
> +static DBusMessage * wpas_dbus_error_no_p2p_mgmt_iface(DBusMessage *message)
> +{
> +	wpa_printf(MSG_DEBUG, "Could not find P2P mgmt interface");
> +	return dbus_message_new_error(message, WPAS_DBUS_ERROR_IFACE_UNKNOWN,
> +			              "Could not find P2P mgmt interface");
> +}
> +
> +
>  DBusMessage * wpas_dbus_handler_p2p_find(DBusMessage *message,
>  					 struct wpa_supplicant *wpa_s)
>  {
> @@ -145,6 +169,10 @@ DBusMessage * wpas_dbus_handler_p2p_find(DBusMessage *message,
>  	}
>  
>  	wpa_s = wpa_s->global->p2p_init_wpa_s;
> +	if (!wpa_s) {
> +		reply = wpas_dbus_error_no_p2p_mgmt_iface(message);
> +		goto error;
> +	}

The reply is overwritten in the error label, so either return directly
here (freeing req_dev_types) or add a new label.

Beniamino

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux