Using D-Bus it is possible to request an invalid SD response where "tlvs"
is specified and there is an unknown key (e.g. "bar": "foo"). In this case,
"tlv" is allocated and then never used nor freed. Valgrind complains as
follows:
36 bytes in 1 blocks are definitely lost in loss record 20 of 74
at 0x484C214: calloc (vg_replace_malloc.c:1675)
by 0x41C673: wpabuf_alloc (wpabuf.c:124)
by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
by 0x54FB94: wpas_dbus_handler_p2p_service_sd_res (dbus_new_handlers_p2p.c:3016)
by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
by 0x5495DF: dispatch_data (dbus_common.c:37)
by 0x5495DF: process_watch (dbus_common.c:73)
by 0x5495DF: process_watch_read (dbus_common.c:89)
by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
by 0x41FA46: eloop_run (eloop.c:1233)
by 0x56A3EE: wpa_supplicant_run (wpa_supplicant.c:8074)
by 0x40DB06: main (main.c:393)
Fix it ensuring that "tlv" is freed both in the error and non-error path
of wpas_dbus_handler_p2p_service_sd_res(). Also, add a test case in
test_dbus.py to verify correct behavior.
Signed-off-by: Davide Caratti <davide.caratti@xxxxxxxxx>
---
tests/hwsim/test_dbus.py | 17 ++++++++++-------
wpa_supplicant/dbus/dbus_new_handlers_p2p.c | 2 +-
2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/tests/hwsim/test_dbus.py b/tests/hwsim/test_dbus.py
index 28fa7197e..2c59d7fb7 100644
--- a/tests/hwsim/test_dbus.py
+++ b/tests/hwsim/test_dbus.py
@@ -3541,13 +3541,16 @@ def test_dbus_p2p_service_discovery(dev, apdev):
if "InvalidArgs" not in str(e):
raise Exception("Unexpected error message for invalid ServiceDiscoveryRequest(): " + str(e))
- args = {'foo': 'bar'}
- try:
- p2p.ServiceDiscoveryResponse(dbus.Dictionary(args, signature='sv'))
- raise Exception("Invalid ServiceDiscoveryResponse accepted")
- except dbus.exceptions.DBusException as e:
- if "InvalidArgs" not in str(e):
- raise Exception("Unexpected error message for invalid ServiceDiscoveryResponse(): " + str(e))
+ tests = [{'foo': 'bar'},
+ {'tlvs': dbus.ByteArray(b"\x02\x00\x00\x01"),
+ 'bar': 'foo'}]
+ for args in tests:
+ try:
+ p2p.ServiceDiscoveryResponse(dbus.Dictionary(args, signature='sv'))
+ raise Exception("Invalid ServiceDiscoveryResponse accepted")
+ except dbus.exceptions.DBusException as e:
+ if "InvalidArgs" not in str(e):
+ raise Exception("Unexpected error message for invalid ServiceDiscoveryResponse(): " + str(e))
def test_dbus_p2p_service_discovery_query(dev, apdev):
"""D-Bus P2P service discovery query"""
diff --git a/wpa_supplicant/dbus/dbus_new_handlers_p2p.c b/wpa_supplicant/dbus/dbus_new_handlers_p2p.c
index 53495f2c3..d001c0154 100644
--- a/wpa_supplicant/dbus/dbus_new_handlers_p2p.c
+++ b/wpa_supplicant/dbus/dbus_new_handlers_p2p.c
@@ -3024,8 +3024,8 @@ DBusMessage * wpas_dbus_handler_p2p_service_sd_res(
goto error;
wpas_p2p_sd_response(wpa_s, freq, addr, (u8) dlg_tok, tlv);
- wpabuf_free(tlv);
out:
+ wpabuf_free(tlv);
os_free(peer_object_path);
return reply;
error_clear:
--
2.44.0
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
