1From 72343929836de80727a27d6744c869dff045757c Mon Sep 17 00:00:00 2001 2From: Daniel Wagner <wagi@monom.org> 3Date: Tue, 5 Jul 2022 08:32:12 +0200 4Subject: wispr: Add reference counter to portal context 5 6Track the connman_wispr_portal_context live time via a 7refcounter. This only adds the infrastructure to do proper reference 8counting. 9 10Fixes: CVE-2022-32293 11CVE: CVE-2022-32293 12Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=416bfaff988882c553c672e5bfc2d4f648d29e8a] 13Signed-off-by: Khem Raj <raj.khem@gmail.com> 14--- 15 src/wispr.c | 52 ++++++++++++++++++++++++++++++++++++++++++---------- 16 1 file changed, 42 insertions(+), 10 deletions(-) 17 18diff --git a/src/wispr.c b/src/wispr.c 19index a07896ca..bde7e63b 100644 20--- a/src/wispr.c 21+++ b/src/wispr.c 22@@ -56,6 +56,7 @@ struct wispr_route { 23 }; 24 25 struct connman_wispr_portal_context { 26+ int refcount; 27 struct connman_service *service; 28 enum connman_ipconfig_type type; 29 struct connman_wispr_portal *wispr_portal; 30@@ -97,6 +98,11 @@ static char *online_check_ipv4_url = NULL; 31 static char *online_check_ipv6_url = NULL; 32 static bool enable_online_to_ready_transition = false; 33 34+#define wispr_portal_context_ref(wp_context) \ 35+ wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__) 36+#define wispr_portal_context_unref(wp_context) \ 37+ wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__) 38+ 39 static void connman_wispr_message_init(struct connman_wispr_message *msg) 40 { 41 DBG(""); 42@@ -162,9 +168,6 @@ static void free_connman_wispr_portal_context( 43 { 44 DBG("context %p", wp_context); 45 46- if (!wp_context) 47- return; 48- 49 if (wp_context->wispr_portal) { 50 if (wp_context->wispr_portal->ipv4_context == wp_context) 51 wp_context->wispr_portal->ipv4_context = NULL; 52@@ -201,9 +204,38 @@ static void free_connman_wispr_portal_context( 53 g_free(wp_context); 54 } 55 56+static struct connman_wispr_portal_context * 57+wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context, 58+ const char *file, int line, const char *caller) 59+{ 60+ DBG("%p ref %d by %s:%d:%s()", wp_context, 61+ wp_context->refcount + 1, file, line, caller); 62+ 63+ __sync_fetch_and_add(&wp_context->refcount, 1); 64+ 65+ return wp_context; 66+} 67+ 68+static void wispr_portal_context_unref_debug( 69+ struct connman_wispr_portal_context *wp_context, 70+ const char *file, int line, const char *caller) 71+{ 72+ if (!wp_context) 73+ return; 74+ 75+ DBG("%p ref %d by %s:%d:%s()", wp_context, 76+ wp_context->refcount - 1, file, line, caller); 77+ 78+ if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1) 79+ return; 80+ 81+ free_connman_wispr_portal_context(wp_context); 82+} 83+ 84 static struct connman_wispr_portal_context *create_wispr_portal_context(void) 85 { 86- return g_try_new0(struct connman_wispr_portal_context, 1); 87+ return wispr_portal_context_ref( 88+ g_new0(struct connman_wispr_portal_context, 1)); 89 } 90 91 static void free_connman_wispr_portal(gpointer data) 92@@ -215,8 +247,8 @@ static void free_connman_wispr_portal(gpointer data) 93 if (!wispr_portal) 94 return; 95 96- free_connman_wispr_portal_context(wispr_portal->ipv4_context); 97- free_connman_wispr_portal_context(wispr_portal->ipv6_context); 98+ wispr_portal_context_unref(wispr_portal->ipv4_context); 99+ wispr_portal_context_unref(wispr_portal->ipv6_context); 100 101 g_free(wispr_portal); 102 } 103@@ -452,7 +484,7 @@ static void portal_manage_status(GWebResult *result, 104 connman_info("Client-Timezone: %s", str); 105 106 if (!enable_online_to_ready_transition) 107- free_connman_wispr_portal_context(wp_context); 108+ wispr_portal_context_unref(wp_context); 109 110 __connman_service_ipconfig_indicate_state(service, 111 CONNMAN_SERVICE_STATE_ONLINE, type); 112@@ -616,7 +648,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service, 113 return; 114 } 115 116- free_connman_wispr_portal_context(wp_context); 117+ wispr_portal_context_unref(wp_context); 118 return; 119 } 120 121@@ -952,7 +984,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context) 122 123 if (wp_context->token == 0) { 124 err = -EINVAL; 125- free_connman_wispr_portal_context(wp_context); 126+ wispr_portal_context_unref(wp_context); 127 } 128 } else if (wp_context->timeout == 0) { 129 wp_context->timeout = g_idle_add(no_proxy_callback, wp_context); 130@@ -1001,7 +1033,7 @@ int __connman_wispr_start(struct connman_service *service, 131 132 /* If there is already an existing context, we wipe it */ 133 if (wp_context) 134- free_connman_wispr_portal_context(wp_context); 135+ wispr_portal_context_unref(wp_context); 136 137 wp_context = create_wispr_portal_context(); 138 if (!wp_context) 139-- 140cgit 141 142