xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593SmuzhiyunFrom 416bfaff988882c553c672e5bfc2d4f648d29e8a Mon Sep 17 00:00:00 2001
2*4882a593SmuzhiyunFrom: Daniel Wagner <wagi@monom.org>
3*4882a593SmuzhiyunDate: Tue, 5 Jul 2022 09:11:09 +0200
4*4882a593SmuzhiyunSubject: wispr: Update portal context references
5*4882a593Smuzhiyun
6*4882a593SmuzhiyunMaintain proper portal context references to avoid UAF.
7*4882a593Smuzhiyun
8*4882a593SmuzhiyunFixes: CVE-2022-32293
9*4882a593SmuzhiyunCVE: CVE-2022-32293
10*4882a593SmuzhiyunUpstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c]
11*4882a593SmuzhiyunSigned-off-by: Khem Raj <raj.khem@gmail.com>
12*4882a593Smuzhiyun---
13*4882a593Smuzhiyun src/wispr.c | 34 ++++++++++++++++++++++------------
14*4882a593Smuzhiyun 1 file changed, 22 insertions(+), 12 deletions(-)
15*4882a593Smuzhiyun
16*4882a593Smuzhiyundiff --git a/src/wispr.c b/src/wispr.c
17*4882a593Smuzhiyunindex bde7e63b..84bed33f 100644
18*4882a593Smuzhiyun--- a/src/wispr.c
19*4882a593Smuzhiyun+++ b/src/wispr.c
20*4882a593Smuzhiyun@@ -105,8 +105,6 @@ static bool enable_online_to_ready_transition = false;
21*4882a593Smuzhiyun
22*4882a593Smuzhiyun static void connman_wispr_message_init(struct connman_wispr_message *msg)
23*4882a593Smuzhiyun {
24*4882a593Smuzhiyun-	DBG("");
25*4882a593Smuzhiyun-
26*4882a593Smuzhiyun 	msg->has_error = false;
27*4882a593Smuzhiyun 	msg->current_element = NULL;
28*4882a593Smuzhiyun
29*4882a593Smuzhiyun@@ -166,8 +164,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context)
30*4882a593Smuzhiyun static void free_connman_wispr_portal_context(
31*4882a593Smuzhiyun 		struct connman_wispr_portal_context *wp_context)
32*4882a593Smuzhiyun {
33*4882a593Smuzhiyun-	DBG("context %p", wp_context);
34*4882a593Smuzhiyun-
35*4882a593Smuzhiyun 	if (wp_context->wispr_portal) {
36*4882a593Smuzhiyun 		if (wp_context->wispr_portal->ipv4_context == wp_context)
37*4882a593Smuzhiyun 			wp_context->wispr_portal->ipv4_context = NULL;
38*4882a593Smuzhiyun@@ -483,9 +479,6 @@ static void portal_manage_status(GWebResult *result,
39*4882a593Smuzhiyun 				&str))
40*4882a593Smuzhiyun 		connman_info("Client-Timezone: %s", str);
41*4882a593Smuzhiyun
42*4882a593Smuzhiyun-	if (!enable_online_to_ready_transition)
43*4882a593Smuzhiyun-		wispr_portal_context_unref(wp_context);
44*4882a593Smuzhiyun-
45*4882a593Smuzhiyun 	__connman_service_ipconfig_indicate_state(service,
46*4882a593Smuzhiyun 					CONNMAN_SERVICE_STATE_ONLINE, type);
47*4882a593Smuzhiyun
48*4882a593Smuzhiyun@@ -546,14 +539,17 @@ static void wispr_portal_request_portal(
49*4882a593Smuzhiyun {
50*4882a593Smuzhiyun 	DBG("");
51*4882a593Smuzhiyun
52*4882a593Smuzhiyun+	wispr_portal_context_ref(wp_context);
53*4882a593Smuzhiyun 	wp_context->request_id = g_web_request_get(wp_context->web,
54*4882a593Smuzhiyun 					wp_context->status_url,
55*4882a593Smuzhiyun 					wispr_portal_web_result,
56*4882a593Smuzhiyun 					wispr_route_request,
57*4882a593Smuzhiyun 					wp_context);
58*4882a593Smuzhiyun
59*4882a593Smuzhiyun-	if (wp_context->request_id == 0)
60*4882a593Smuzhiyun+	if (wp_context->request_id == 0) {
61*4882a593Smuzhiyun 		wispr_portal_error(wp_context);
62*4882a593Smuzhiyun+		wispr_portal_context_unref(wp_context);
63*4882a593Smuzhiyun+	}
64*4882a593Smuzhiyun }
65*4882a593Smuzhiyun
66*4882a593Smuzhiyun static bool wispr_input(const guint8 **data, gsize *length,
67*4882a593Smuzhiyun@@ -618,13 +614,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service,
68*4882a593Smuzhiyun 		return;
69*4882a593Smuzhiyun
70*4882a593Smuzhiyun 	if (!authentication_done) {
71*4882a593Smuzhiyun-		wispr_portal_error(wp_context);
72*4882a593Smuzhiyun 		free_wispr_routes(wp_context);
73*4882a593Smuzhiyun+		wispr_portal_error(wp_context);
74*4882a593Smuzhiyun+		wispr_portal_context_unref(wp_context);
75*4882a593Smuzhiyun 		return;
76*4882a593Smuzhiyun 	}
77*4882a593Smuzhiyun
78*4882a593Smuzhiyun 	/* Restarting the test */
79*4882a593Smuzhiyun 	__connman_service_wispr_start(service, wp_context->type);
80*4882a593Smuzhiyun+	wispr_portal_context_unref(wp_context);
81*4882a593Smuzhiyun }
82*4882a593Smuzhiyun
83*4882a593Smuzhiyun static void wispr_portal_request_wispr_login(struct connman_service *service,
84*4882a593Smuzhiyun@@ -700,11 +698,13 @@ static bool wispr_manage_message(GWebResult *result,
85*4882a593Smuzhiyun
86*4882a593Smuzhiyun 		wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN;
87*4882a593Smuzhiyun
88*4882a593Smuzhiyun+		wispr_portal_context_ref(wp_context);
89*4882a593Smuzhiyun 		if (__connman_agent_request_login_input(wp_context->service,
90*4882a593Smuzhiyun 					wispr_portal_request_wispr_login,
91*4882a593Smuzhiyun-					wp_context) != -EINPROGRESS)
92*4882a593Smuzhiyun+					wp_context) != -EINPROGRESS) {
93*4882a593Smuzhiyun 			wispr_portal_error(wp_context);
94*4882a593Smuzhiyun-		else
95*4882a593Smuzhiyun+			wispr_portal_context_unref(wp_context);
96*4882a593Smuzhiyun+		} else
97*4882a593Smuzhiyun 			return true;
98*4882a593Smuzhiyun
99*4882a593Smuzhiyun 		break;
100*4882a593Smuzhiyun@@ -753,6 +753,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
101*4882a593Smuzhiyun 		if (length > 0) {
102*4882a593Smuzhiyun 			g_web_parser_feed_data(wp_context->wispr_parser,
103*4882a593Smuzhiyun 								chunk, length);
104*4882a593Smuzhiyun+			wispr_portal_context_unref(wp_context);
105*4882a593Smuzhiyun 			return true;
106*4882a593Smuzhiyun 		}
107*4882a593Smuzhiyun
108*4882a593Smuzhiyun@@ -770,6 +771,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
109*4882a593Smuzhiyun
110*4882a593Smuzhiyun 	switch (status) {
111*4882a593Smuzhiyun 	case 000:
112*4882a593Smuzhiyun+		wispr_portal_context_ref(wp_context);
113*4882a593Smuzhiyun 		__connman_agent_request_browser(wp_context->service,
114*4882a593Smuzhiyun 				wispr_portal_browser_reply_cb,
115*4882a593Smuzhiyun 				wp_context->status_url, wp_context);
116*4882a593Smuzhiyun@@ -781,11 +783,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
117*4882a593Smuzhiyun 		if (g_web_result_get_header(result, "X-ConnMan-Status",
118*4882a593Smuzhiyun 						&str)) {
119*4882a593Smuzhiyun 			portal_manage_status(result, wp_context);
120*4882a593Smuzhiyun+			wispr_portal_context_unref(wp_context);
121*4882a593Smuzhiyun 			return false;
122*4882a593Smuzhiyun-		} else
123*4882a593Smuzhiyun+		} else {
124*4882a593Smuzhiyun+			wispr_portal_context_ref(wp_context);
125*4882a593Smuzhiyun 			__connman_agent_request_browser(wp_context->service,
126*4882a593Smuzhiyun 					wispr_portal_browser_reply_cb,
127*4882a593Smuzhiyun 					wp_context->redirect_url, wp_context);
128*4882a593Smuzhiyun+		}
129*4882a593Smuzhiyun
130*4882a593Smuzhiyun 		break;
131*4882a593Smuzhiyun 	case 300:
132*4882a593Smuzhiyun@@ -798,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
133*4882a593Smuzhiyun 			!g_web_result_get_header(result, "Location",
134*4882a593Smuzhiyun 							&redirect)) {
135*4882a593Smuzhiyun
136*4882a593Smuzhiyun+			wispr_portal_context_ref(wp_context);
137*4882a593Smuzhiyun 			__connman_agent_request_browser(wp_context->service,
138*4882a593Smuzhiyun 					wispr_portal_browser_reply_cb,
139*4882a593Smuzhiyun 					wp_context->status_url, wp_context);
140*4882a593Smuzhiyun@@ -808,6 +814,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
141*4882a593Smuzhiyun
142*4882a593Smuzhiyun 		wp_context->redirect_url = g_strdup(redirect);
143*4882a593Smuzhiyun
144*4882a593Smuzhiyun+		wispr_portal_context_ref(wp_context);
145*4882a593Smuzhiyun 		wp_context->request_id = g_web_request_get(wp_context->web,
146*4882a593Smuzhiyun 				redirect, wispr_portal_web_result,
147*4882a593Smuzhiyun 				wispr_route_request, wp_context);
148*4882a593Smuzhiyun@@ -820,6 +827,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
149*4882a593Smuzhiyun
150*4882a593Smuzhiyun 		break;
151*4882a593Smuzhiyun 	case 505:
152*4882a593Smuzhiyun+		wispr_portal_context_ref(wp_context);
153*4882a593Smuzhiyun 		__connman_agent_request_browser(wp_context->service,
154*4882a593Smuzhiyun 				wispr_portal_browser_reply_cb,
155*4882a593Smuzhiyun 				wp_context->status_url, wp_context);
156*4882a593Smuzhiyun@@ -832,6 +840,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
157*4882a593Smuzhiyun 	wp_context->request_id = 0;
158*4882a593Smuzhiyun done:
159*4882a593Smuzhiyun 	wp_context->wispr_msg.message_type = -1;
160*4882a593Smuzhiyun+	wispr_portal_context_unref(wp_context);
161*4882a593Smuzhiyun 	return false;
162*4882a593Smuzhiyun }
163*4882a593Smuzhiyun
164*4882a593Smuzhiyun@@ -890,6 +899,7 @@ static void proxy_callback(const char *proxy, void *user_data)
165*4882a593Smuzhiyun 					xml_wispr_parser_callback, wp_context);
166*4882a593Smuzhiyun
167*4882a593Smuzhiyun 	wispr_portal_request_portal(wp_context);
168*4882a593Smuzhiyun+	wispr_portal_context_unref(wp_context);
169*4882a593Smuzhiyun }
170*4882a593Smuzhiyun
171*4882a593Smuzhiyun static gboolean no_proxy_callback(gpointer user_data)
172*4882a593Smuzhiyun--
173*4882a593Smuzhiyuncgit
174*4882a593Smuzhiyun
175