connman/connman/CVE-2022-32293_p2.patch

From 416bfaff988882c553c672e5bfc2d4f648d29e8a Mon Sep 17 00:00:00 2001
From: Daniel Wagner <wagi@monom.org>
Date: Tue, 5 Jul 2022 09:11:09 +0200
Subject: wispr: Update portal context references

Maintain proper portal context references to avoid UAF.

Fixes: CVE-2022-32293
CVE: CVE-2022-32293
Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 src/wispr.c | 34 ++++++++++++++++++++++------------
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/src/wispr.c b/src/wispr.c
index bde7e63b..84bed33f 100644
--- a/src/wispr.c
+++ b/src/wispr.c
@@ -105,8 +105,6 @@ static bool enable_online_to_ready_transition = false;

 static void connman_wispr_message_init(struct connman_wispr_message *msg)
 {
-	DBG("");
-
 	msg->has_error = false;
 	msg->current_element = NULL;

@@ -166,8 +164,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context)
 static void free_connman_wispr_portal_context(
 		struct connman_wispr_portal_context *wp_context)
 {
-	DBG("context %p", wp_context);
-
 	if (wp_context->wispr_portal) {
 		if (wp_context->wispr_portal->ipv4_context == wp_context)
 			wp_context->wispr_portal->ipv4_context = NULL;
@@ -483,9 +479,6 @@ static void portal_manage_status(GWebResult *result,
 				&str))
 		connman_info("Client-Timezone: %s", str);

-	if (!enable_online_to_ready_transition)
-		wispr_portal_context_unref(wp_context);
-
 	__connman_service_ipconfig_indicate_state(service,
 					CONNMAN_SERVICE_STATE_ONLINE, type);

@@ -546,14 +539,17 @@ static void wispr_portal_request_portal(
 {
 	DBG("");

+	wispr_portal_context_ref(wp_context);
 	wp_context->request_id = g_web_request_get(wp_context->web,
 					wp_context->status_url,
 					wispr_portal_web_result,
 					wispr_route_request,
 					wp_context);

-	if (wp_context->request_id == 0)
+	if (wp_context->request_id == 0) {
 		wispr_portal_error(wp_context);
+		wispr_portal_context_unref(wp_context);
+	}
 }

 static bool wispr_input(const guint8 **data, gsize *length,
@@ -618,13 +614,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service,
 		return;

 	if (!authentication_done) {
-		wispr_portal_error(wp_context);
 		free_wispr_routes(wp_context);
+		wispr_portal_error(wp_context);
+		wispr_portal_context_unref(wp_context);
 		return;
 	}

 	/* Restarting the test */
 	__connman_service_wispr_start(service, wp_context->type);
+	wispr_portal_context_unref(wp_context);
 }

 static void wispr_portal_request_wispr_login(struct connman_service *service,
@@ -700,11 +698,13 @@ static bool wispr_manage_message(GWebResult *result,

 		wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN;

+		wispr_portal_context_ref(wp_context);
 		if (__connman_agent_request_login_input(wp_context->service,
 					wispr_portal_request_wispr_login,
-					wp_context) != -EINPROGRESS)
+					wp_context) != -EINPROGRESS) {
 			wispr_portal_error(wp_context);
-		else
+			wispr_portal_context_unref(wp_context);
+		} else
 			return true;

 		break;
@@ -753,6 +753,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
 		if (length > 0) {
 			g_web_parser_feed_data(wp_context->wispr_parser,
 								chunk, length);
+			wispr_portal_context_unref(wp_context);
 			return true;
 		}

@@ -770,6 +771,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)

 	switch (status) {
 	case 000:
+		wispr_portal_context_ref(wp_context);
 		__connman_agent_request_browser(wp_context->service,
 				wispr_portal_browser_reply_cb,
 				wp_context->status_url, wp_context);
@@ -781,11 +783,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
 		if (g_web_result_get_header(result, "X-ConnMan-Status",
 						&str)) {
 			portal_manage_status(result, wp_context);
+			wispr_portal_context_unref(wp_context);
 			return false;
-		} else
+		} else {
+			wispr_portal_context_ref(wp_context);
 			__connman_agent_request_browser(wp_context->service,
 					wispr_portal_browser_reply_cb,
 					wp_context->redirect_url, wp_context);
+		}

 		break;
 	case 300:
@@ -798,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
 			!g_web_result_get_header(result, "Location",
 							&redirect)) {

+			wispr_portal_context_ref(wp_context);
 			__connman_agent_request_browser(wp_context->service,
 					wispr_portal_browser_reply_cb,
 					wp_context->status_url, wp_context);
@@ -808,6 +814,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)

 		wp_context->redirect_url = g_strdup(redirect);

+		wispr_portal_context_ref(wp_context);
 		wp_context->request_id = g_web_request_get(wp_context->web,
 				redirect, wispr_portal_web_result,
 				wispr_route_request, wp_context);
@@ -820,6 +827,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)

 		break;
 	case 505:
+		wispr_portal_context_ref(wp_context);
 		__connman_agent_request_browser(wp_context->service,
 				wispr_portal_browser_reply_cb,
 				wp_context->status_url, wp_context);
@@ -832,6 +840,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
 	wp_context->request_id = 0;
 done:
 	wp_context->wispr_msg.message_type = -1;
+	wispr_portal_context_unref(wp_context);
 	return false;
 }

@@ -890,6 +899,7 @@ static void proxy_callback(const char *proxy, void *user_data)
 					xml_wispr_parser_callback, wp_context);

 	wispr_portal_request_portal(wp_context);
+	wispr_portal_context_unref(wp_context);
 }

 static gboolean no_proxy_callback(gpointer user_data)
--
cgit