diff options
author | Alexander Kanavin <alex.kanavin@gmail.com> | 2023-09-06 18:56:19 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-09-07 14:36:30 +0100 |
commit | dee8fc6a9757752ea58466a8ec5eaf25275928dc (patch) | |
tree | 712bee9bdeb9b2e56c8487f8981c6a94ce67cca1 /meta/recipes-connectivity | |
parent | 84ba56a144b296e7e8e2f9c7e5c972a57d7d2002 (diff) | |
download | poky-dee8fc6a9757752ea58466a8ec5eaf25275928dc.tar.gz |
connman: update 1.41 -> 1.42
Drop backports. 0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch
is partially dropped, as upstream hasn't included the newly added header
into the tarball (issue addressed after the release).
(From OE-Core rev: eeb686876dc560b5f0fab6f37a2def3d78bb55db)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r-- | meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch | 63 | ||||
-rw-r--r-- | meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch | 128 | ||||
-rw-r--r-- | meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch | 8 | ||||
-rw-r--r-- | meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch | 37 | ||||
-rw-r--r-- | meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch | 141 | ||||
-rw-r--r-- | meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch | 174 | ||||
-rw-r--r-- | meta/recipes-connectivity/connman/connman_1.42.bb (renamed from meta/recipes-connectivity/connman/connman_1.41.bb) | 6 |
7 files changed, 4 insertions, 553 deletions
diff --git a/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch b/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch deleted file mode 100644 index 8e2f47a1d5..0000000000 --- a/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Wagner <wagi@monom.org> | ||
3 | Date: Tue, 11 Apr 2023 08:12:56 +0200 | ||
4 | Subject: [PATCH] gdhcp: Verify and sanitize packet length first | ||
5 | |||
6 | Avoid overwriting the read packet length after the initial test. Thus | ||
7 | move all the length checks which depends on the total length first | ||
8 | and do not use the total lenght from the IP packet afterwards. | ||
9 | |||
10 | Fixes CVE-2023-28488 | ||
11 | |||
12 | Reported by Polina Smirnova <moe.hwr@gmail.com> | ||
13 | |||
14 | CVE: CVE-2023-28488 | ||
15 | Upstream-Status: Backport | ||
16 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
17 | |||
18 | --- | ||
19 | gdhcp/client.c | 16 +++++++++------- | ||
20 | 1 file changed, 9 insertions(+), 7 deletions(-) | ||
21 | |||
22 | diff --git a/gdhcp/client.c b/gdhcp/client.c | ||
23 | index 7efa7e45..82017692 100644 | ||
24 | --- a/gdhcp/client.c | ||
25 | +++ b/gdhcp/client.c | ||
26 | @@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes) | ||
27 | static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, | ||
28 | struct sockaddr_in *dst_addr) | ||
29 | { | ||
30 | - int bytes; | ||
31 | struct ip_udp_dhcp_packet packet; | ||
32 | uint16_t check; | ||
33 | + int bytes, tot_len; | ||
34 | |||
35 | memset(&packet, 0, sizeof(packet)); | ||
36 | |||
37 | @@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, | ||
38 | if (bytes < 0) | ||
39 | return -1; | ||
40 | |||
41 | - if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) | ||
42 | - return -1; | ||
43 | - | ||
44 | - if (bytes < ntohs(packet.ip.tot_len)) | ||
45 | + tot_len = ntohs(packet.ip.tot_len); | ||
46 | + if (bytes > tot_len) { | ||
47 | + /* ignore any extra garbage bytes */ | ||
48 | + bytes = tot_len; | ||
49 | + } else if (bytes < tot_len) { | ||
50 | /* packet is bigger than sizeof(packet), we did partial read */ | ||
51 | return -1; | ||
52 | + } | ||
53 | |||
54 | - /* ignore any extra garbage bytes */ | ||
55 | - bytes = ntohs(packet.ip.tot_len); | ||
56 | + if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) | ||
57 | + return -1; | ||
58 | |||
59 | if (!sanity_check(&packet, bytes)) | ||
60 | return -1; | ||
61 | -- | ||
62 | 2.34.1 | ||
63 | |||
diff --git a/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch b/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch index 83343fdda5..9e5ac8da15 100644 --- a/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch +++ b/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5f373f373f5baccc282dce257b7b16c8bb4a82c4 Mon Sep 17 00:00:00 2001 | 1 | From af55a6a414d32c12f9ef3cab778385a361e1ad6d Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?Eivind=20N=C3=A6ss?= <eivnaes@yahoo.com> | 2 | From: =?UTF-8?q?Eivind=20N=C3=A6ss?= <eivnaes@yahoo.com> |
3 | Date: Sat, 25 Mar 2023 20:51:52 +0000 | 3 | Date: Sat, 25 Mar 2023 20:51:52 +0000 |
4 | Subject: [PATCH] vpn: Adding support for latest pppd 2.5.0 release | 4 | Subject: [PATCH] vpn: Adding support for latest pppd 2.5.0 release |
@@ -11,82 +11,12 @@ Adding a libppp-compat.h file to mask for any differences in the version. | |||
11 | 11 | ||
12 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a48864a2e5d2a725dfc6eef567108bc13b43857f] | 12 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a48864a2e5d2a725dfc6eef567108bc13b43857f] |
13 | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> | 13 | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> |
14 | |||
14 | --- | 15 | --- |
15 | configure.ac | 42 ++++++++----- | ||
16 | scripts/libppp-compat.h | 127 ++++++++++++++++++++++++++++++++++++++++ | 16 | scripts/libppp-compat.h | 127 ++++++++++++++++++++++++++++++++++++++++ |
17 | scripts/libppp-plugin.c | 15 +++-- | 17 | 1 file changed, 127 insertions(+) |
18 | 3 files changed, 161 insertions(+), 23 deletions(-) | ||
19 | create mode 100644 scripts/libppp-compat.h | 18 | create mode 100644 scripts/libppp-compat.h |
20 | 19 | ||
21 | diff --git a/configure.ac b/configure.ac | ||
22 | index a573cef..f34bb38 100644 | ||
23 | --- a/configure.ac | ||
24 | +++ b/configure.ac | ||
25 | @@ -135,14 +135,6 @@ AC_ARG_ENABLE(l2tp, | ||
26 | AC_HELP_STRING([--enable-l2tp], [enable l2tp support]), | ||
27 | [enable_l2tp=${enableval}], [enable_l2tp="no"]) | ||
28 | if (test "${enable_l2tp}" != "no"); then | ||
29 | - if (test -z "${path_pppd}"); then | ||
30 | - AC_PATH_PROG(PPPD, [pppd], [/usr/sbin/pppd], $PATH:/sbin:/usr/sbin) | ||
31 | - else | ||
32 | - PPPD="${path_pppd}" | ||
33 | - AC_SUBST(PPPD) | ||
34 | - fi | ||
35 | - AC_CHECK_HEADERS(pppd/pppd.h, dummy=yes, | ||
36 | - AC_MSG_ERROR(ppp header files are required)) | ||
37 | if (test -z "${path_l2tp}"); then | ||
38 | AC_PATH_PROG(L2TP, [xl2tpd], [/usr/sbin/xl2tpd], $PATH:/sbin:/usr/sbin) | ||
39 | else | ||
40 | @@ -160,6 +152,18 @@ AC_ARG_ENABLE(pptp, | ||
41 | AC_HELP_STRING([--enable-pptp], [enable pptp support]), | ||
42 | [enable_pptp=${enableval}], [enable_pptp="no"]) | ||
43 | if (test "${enable_pptp}" != "no"); then | ||
44 | + if (test -z "${path_pptp}"); then | ||
45 | + AC_PATH_PROG(PPTP, [pptp], [/usr/sbin/pptp], $PATH:/sbin:/usr/sbin) | ||
46 | + else | ||
47 | + PPTP="${path_pptp}" | ||
48 | + AC_SUBST(PPTP) | ||
49 | + fi | ||
50 | +fi | ||
51 | +AM_CONDITIONAL(PPTP, test "${enable_pptp}" != "no") | ||
52 | +AM_CONDITIONAL(PPTP_BUILTIN, test "${enable_pptp}" = "builtin") | ||
53 | + | ||
54 | +if (test "${enable_pptp}" != "no" || test "${enable_l2tp}" != "no"); then | ||
55 | + | ||
56 | if (test -z "${path_pppd}"); then | ||
57 | AC_PATH_PROG(PPPD, [pppd], [/usr/sbin/pppd], $PATH:/sbin:/usr/sbin) | ||
58 | else | ||
59 | @@ -168,15 +172,23 @@ if (test "${enable_pptp}" != "no"); then | ||
60 | fi | ||
61 | AC_CHECK_HEADERS(pppd/pppd.h, dummy=yes, | ||
62 | AC_MSG_ERROR(ppp header files are required)) | ||
63 | - if (test -z "${path_pptp}"); then | ||
64 | - AC_PATH_PROG(PPTP, [pptp], [/usr/sbin/pptp], $PATH:/sbin:/usr/sbin) | ||
65 | - else | ||
66 | - PPTP="${path_pptp}" | ||
67 | - AC_SUBST(PPTP) | ||
68 | + AC_CHECK_HEADERS([pppd/chap.h pppd/chap-new.h pppd/chap_ms.h]) | ||
69 | + | ||
70 | + PKG_CHECK_EXISTS([pppd], | ||
71 | + [AS_VAR_SET([pppd_pkgconfig_support],[yes])]) | ||
72 | + | ||
73 | + PPPD_VERSION=2.4.9 | ||
74 | + if test x"$pppd_pkgconfig_support" = xyes; then | ||
75 | + PPPD_VERSION=`$PKG_CONFIG --modversion pppd` | ||
76 | fi | ||
77 | + | ||
78 | + AC_DEFINE_UNQUOTED([PPP_VERSION(x,y,z)], | ||
79 | + [((x & 0xFF) << 16 | (y & 0xFF) << 8 | (z & 0xFF) << 0)], | ||
80 | + [Macro to help determine the particular version of pppd]) | ||
81 | + PPP_VERSION=$(echo $PPPD_VERSION | sed -e "s/\./\,/g") | ||
82 | + AC_DEFINE_UNQUOTED(WITH_PPP_VERSION, PPP_VERSION($PPP_VERSION), | ||
83 | + [The real version of pppd represented as an int]) | ||
84 | fi | ||
85 | -AM_CONDITIONAL(PPTP, test "${enable_pptp}" != "no") | ||
86 | -AM_CONDITIONAL(PPTP_BUILTIN, test "${enable_pptp}" = "builtin") | ||
87 | |||
88 | AC_CHECK_HEADERS(resolv.h, dummy=yes, | ||
89 | AC_MSG_ERROR(resolver header files are required)) | ||
90 | diff --git a/scripts/libppp-compat.h b/scripts/libppp-compat.h | 20 | diff --git a/scripts/libppp-compat.h b/scripts/libppp-compat.h |
91 | new file mode 100644 | 21 | new file mode 100644 |
92 | index 0000000..eee1d09 | 22 | index 0000000..eee1d09 |
@@ -220,55 +150,3 @@ index 0000000..eee1d09 | |||
220 | + | 150 | + |
221 | +#endif /* #if WITH_PPP_VERSION < PPP_VERSION(2,5,0) */ | 151 | +#endif /* #if WITH_PPP_VERSION < PPP_VERSION(2,5,0) */ |
222 | +#endif /* #if__LIBPPP_COMPAT_H__ */ | 152 | +#endif /* #if__LIBPPP_COMPAT_H__ */ |
223 | diff --git a/scripts/libppp-plugin.c b/scripts/libppp-plugin.c | ||
224 | index 0dd8b47..61641b5 100644 | ||
225 | --- a/scripts/libppp-plugin.c | ||
226 | +++ b/scripts/libppp-plugin.c | ||
227 | @@ -29,14 +29,13 @@ | ||
228 | #include <sys/types.h> | ||
229 | #include <sys/stat.h> | ||
230 | #include <fcntl.h> | ||
231 | -#include <pppd/pppd.h> | ||
232 | -#include <pppd/fsm.h> | ||
233 | -#include <pppd/ipcp.h> | ||
234 | #include <netinet/in.h> | ||
235 | #include <arpa/inet.h> | ||
236 | |||
237 | #include <dbus/dbus.h> | ||
238 | |||
239 | +#include "libppp-compat.h" | ||
240 | + | ||
241 | #define INET_ADDRES_LEN (INET_ADDRSTRLEN + 5) | ||
242 | #define INET_DNS_LEN (2*INET_ADDRSTRLEN + 9) | ||
243 | |||
244 | @@ -47,7 +46,7 @@ static char *path; | ||
245 | static DBusConnection *connection; | ||
246 | static int prev_phase; | ||
247 | |||
248 | -char pppd_version[] = VERSION; | ||
249 | +char pppd_version[] = PPPD_VERSION; | ||
250 | |||
251 | int plugin_init(void); | ||
252 | |||
253 | @@ -170,7 +169,7 @@ static void ppp_up(void *data, int arg) | ||
254 | DBUS_TYPE_STRING_AS_STRING DBUS_TYPE_STRING_AS_STRING | ||
255 | DBUS_DICT_ENTRY_END_CHAR_AS_STRING, &dict); | ||
256 | |||
257 | - append(&dict, "INTERNAL_IFNAME", ifname); | ||
258 | + append(&dict, "INTERNAL_IFNAME", ppp_ifname()); | ||
259 | |||
260 | inet_ntop(AF_INET, &ipcp_gotoptions[0].ouraddr, buf, INET_ADDRSTRLEN); | ||
261 | append(&dict, "INTERNAL_IP4_ADDRESS", buf); | ||
262 | @@ -309,9 +308,9 @@ int plugin_init(void) | ||
263 | chap_check_hook = ppp_have_secret; | ||
264 | pap_check_hook = ppp_have_secret; | ||
265 | |||
266 | - add_notifier(&ip_up_notifier, ppp_up, NULL); | ||
267 | - add_notifier(&phasechange, ppp_phase_change, NULL); | ||
268 | - add_notifier(&exitnotify, ppp_exit, connection); | ||
269 | + ppp_add_notify(NF_IP_UP, ppp_up, NULL); | ||
270 | + ppp_add_notify(NF_PHASE_CHANGE, ppp_phase_change, NULL); | ||
271 | + ppp_add_notify(NF_EXIT, ppp_exit, connection); | ||
272 | |||
273 | return 0; | ||
274 | } | ||
diff --git a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch index 9dca21a02f..aefdd3aa06 100644 --- a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch +++ b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch | |||
@@ -18,14 +18,6 @@ diff --git a/gweb/gresolv.c b/gweb/gresolv.c | |||
18 | index 954e7cf..2a9bc51 100644 | 18 | index 954e7cf..2a9bc51 100644 |
19 | --- a/gweb/gresolv.c | 19 | --- a/gweb/gresolv.c |
20 | +++ b/gweb/gresolv.c | 20 | +++ b/gweb/gresolv.c |
21 | @@ -36,6 +36,7 @@ | ||
22 | #include <arpa/inet.h> | ||
23 | #include <arpa/nameser.h> | ||
24 | #include <net/if.h> | ||
25 | +#include <ctype.h> | ||
26 | |||
27 | #include "gresolv.h" | ||
28 | |||
29 | @@ -878,8 +879,6 @@ GResolv *g_resolv_new(int index) | 21 | @@ -878,8 +879,6 @@ GResolv *g_resolv_new(int index) |
30 | resolv->index = index; | 22 | resolv->index = index; |
31 | resolv->nameserver_list = NULL; | 23 | resolv->nameserver_list = NULL; |
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch deleted file mode 100644 index 182c5ca29c..0000000000 --- a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001 | ||
2 | From: Nathan Crandall <ncrandall@tesla.com> | ||
3 | Date: Tue, 12 Jul 2022 08:56:34 +0200 | ||
4 | Subject: gweb: Fix OOB write in received_data() | ||
5 | |||
6 | There is a mismatch of handling binary vs. C-string data with memchr | ||
7 | and strlen, resulting in pos, count, and bytes_read to become out of | ||
8 | sync and result in a heap overflow. Instead, do not treat the buffer | ||
9 | as an ASCII C-string. We calculate the count based on the return value | ||
10 | of memchr, instead of strlen. | ||
11 | |||
12 | Fixes: CVE-2022-32292 | ||
13 | |||
14 | CVE: CVE-2022-32292 | ||
15 | |||
16 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd] | ||
17 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
18 | --- | ||
19 | gweb/gweb.c | 2 +- | ||
20 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/gweb/gweb.c b/gweb/gweb.c | ||
23 | index 12fcb1d8..13c6c5f2 100644 | ||
24 | --- a/gweb/gweb.c | ||
25 | +++ b/gweb/gweb.c | ||
26 | @@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, | ||
27 | } | ||
28 | |||
29 | *pos = '\0'; | ||
30 | - count = strlen((char *) ptr); | ||
31 | + count = pos - ptr; | ||
32 | if (count > 0 && ptr[count - 1] == '\r') { | ||
33 | ptr[--count] = '\0'; | ||
34 | bytes_read--; | ||
35 | -- | ||
36 | cgit | ||
37 | |||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch deleted file mode 100644 index b280203594..0000000000 --- a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch +++ /dev/null | |||
@@ -1,141 +0,0 @@ | |||
1 | From 72343929836de80727a27d6744c869dff045757c Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Wagner <wagi@monom.org> | ||
3 | Date: Tue, 5 Jul 2022 08:32:12 +0200 | ||
4 | Subject: wispr: Add reference counter to portal context | ||
5 | |||
6 | Track the connman_wispr_portal_context live time via a | ||
7 | refcounter. This only adds the infrastructure to do proper reference | ||
8 | counting. | ||
9 | |||
10 | Fixes: CVE-2022-32293 | ||
11 | CVE: CVE-2022-32293 | ||
12 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=416bfaff988882c553c672e5bfc2d4f648d29e8a] | ||
13 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
14 | --- | ||
15 | src/wispr.c | 52 ++++++++++++++++++++++++++++++++++++++++++---------- | ||
16 | 1 file changed, 42 insertions(+), 10 deletions(-) | ||
17 | |||
18 | diff --git a/src/wispr.c b/src/wispr.c | ||
19 | index a07896ca..bde7e63b 100644 | ||
20 | --- a/src/wispr.c | ||
21 | +++ b/src/wispr.c | ||
22 | @@ -56,6 +56,7 @@ struct wispr_route { | ||
23 | }; | ||
24 | |||
25 | struct connman_wispr_portal_context { | ||
26 | + int refcount; | ||
27 | struct connman_service *service; | ||
28 | enum connman_ipconfig_type type; | ||
29 | struct connman_wispr_portal *wispr_portal; | ||
30 | @@ -97,6 +98,11 @@ static char *online_check_ipv4_url = NULL; | ||
31 | static char *online_check_ipv6_url = NULL; | ||
32 | static bool enable_online_to_ready_transition = false; | ||
33 | |||
34 | +#define wispr_portal_context_ref(wp_context) \ | ||
35 | + wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__) | ||
36 | +#define wispr_portal_context_unref(wp_context) \ | ||
37 | + wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__) | ||
38 | + | ||
39 | static void connman_wispr_message_init(struct connman_wispr_message *msg) | ||
40 | { | ||
41 | DBG(""); | ||
42 | @@ -162,9 +168,6 @@ static void free_connman_wispr_portal_context( | ||
43 | { | ||
44 | DBG("context %p", wp_context); | ||
45 | |||
46 | - if (!wp_context) | ||
47 | - return; | ||
48 | - | ||
49 | if (wp_context->wispr_portal) { | ||
50 | if (wp_context->wispr_portal->ipv4_context == wp_context) | ||
51 | wp_context->wispr_portal->ipv4_context = NULL; | ||
52 | @@ -201,9 +204,38 @@ static void free_connman_wispr_portal_context( | ||
53 | g_free(wp_context); | ||
54 | } | ||
55 | |||
56 | +static struct connman_wispr_portal_context * | ||
57 | +wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context, | ||
58 | + const char *file, int line, const char *caller) | ||
59 | +{ | ||
60 | + DBG("%p ref %d by %s:%d:%s()", wp_context, | ||
61 | + wp_context->refcount + 1, file, line, caller); | ||
62 | + | ||
63 | + __sync_fetch_and_add(&wp_context->refcount, 1); | ||
64 | + | ||
65 | + return wp_context; | ||
66 | +} | ||
67 | + | ||
68 | +static void wispr_portal_context_unref_debug( | ||
69 | + struct connman_wispr_portal_context *wp_context, | ||
70 | + const char *file, int line, const char *caller) | ||
71 | +{ | ||
72 | + if (!wp_context) | ||
73 | + return; | ||
74 | + | ||
75 | + DBG("%p ref %d by %s:%d:%s()", wp_context, | ||
76 | + wp_context->refcount - 1, file, line, caller); | ||
77 | + | ||
78 | + if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1) | ||
79 | + return; | ||
80 | + | ||
81 | + free_connman_wispr_portal_context(wp_context); | ||
82 | +} | ||
83 | + | ||
84 | static struct connman_wispr_portal_context *create_wispr_portal_context(void) | ||
85 | { | ||
86 | - return g_try_new0(struct connman_wispr_portal_context, 1); | ||
87 | + return wispr_portal_context_ref( | ||
88 | + g_new0(struct connman_wispr_portal_context, 1)); | ||
89 | } | ||
90 | |||
91 | static void free_connman_wispr_portal(gpointer data) | ||
92 | @@ -215,8 +247,8 @@ static void free_connman_wispr_portal(gpointer data) | ||
93 | if (!wispr_portal) | ||
94 | return; | ||
95 | |||
96 | - free_connman_wispr_portal_context(wispr_portal->ipv4_context); | ||
97 | - free_connman_wispr_portal_context(wispr_portal->ipv6_context); | ||
98 | + wispr_portal_context_unref(wispr_portal->ipv4_context); | ||
99 | + wispr_portal_context_unref(wispr_portal->ipv6_context); | ||
100 | |||
101 | g_free(wispr_portal); | ||
102 | } | ||
103 | @@ -452,7 +484,7 @@ static void portal_manage_status(GWebResult *result, | ||
104 | connman_info("Client-Timezone: %s", str); | ||
105 | |||
106 | if (!enable_online_to_ready_transition) | ||
107 | - free_connman_wispr_portal_context(wp_context); | ||
108 | + wispr_portal_context_unref(wp_context); | ||
109 | |||
110 | __connman_service_ipconfig_indicate_state(service, | ||
111 | CONNMAN_SERVICE_STATE_ONLINE, type); | ||
112 | @@ -616,7 +648,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service, | ||
113 | return; | ||
114 | } | ||
115 | |||
116 | - free_connman_wispr_portal_context(wp_context); | ||
117 | + wispr_portal_context_unref(wp_context); | ||
118 | return; | ||
119 | } | ||
120 | |||
121 | @@ -952,7 +984,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context) | ||
122 | |||
123 | if (wp_context->token == 0) { | ||
124 | err = -EINVAL; | ||
125 | - free_connman_wispr_portal_context(wp_context); | ||
126 | + wispr_portal_context_unref(wp_context); | ||
127 | } | ||
128 | } else if (wp_context->timeout == 0) { | ||
129 | wp_context->timeout = g_idle_add(no_proxy_callback, wp_context); | ||
130 | @@ -1001,7 +1033,7 @@ int __connman_wispr_start(struct connman_service *service, | ||
131 | |||
132 | /* If there is already an existing context, we wipe it */ | ||
133 | if (wp_context) | ||
134 | - free_connman_wispr_portal_context(wp_context); | ||
135 | + wispr_portal_context_unref(wp_context); | ||
136 | |||
137 | wp_context = create_wispr_portal_context(); | ||
138 | if (!wp_context) | ||
139 | -- | ||
140 | cgit | ||
141 | |||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch deleted file mode 100644 index 56f8fc82de..0000000000 --- a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch +++ /dev/null | |||
@@ -1,174 +0,0 @@ | |||
1 | From 416bfaff988882c553c672e5bfc2d4f648d29e8a Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Wagner <wagi@monom.org> | ||
3 | Date: Tue, 5 Jul 2022 09:11:09 +0200 | ||
4 | Subject: wispr: Update portal context references | ||
5 | |||
6 | Maintain proper portal context references to avoid UAF. | ||
7 | |||
8 | Fixes: CVE-2022-32293 | ||
9 | CVE: CVE-2022-32293 | ||
10 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c] | ||
11 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
12 | --- | ||
13 | src/wispr.c | 34 ++++++++++++++++++++++------------ | ||
14 | 1 file changed, 22 insertions(+), 12 deletions(-) | ||
15 | |||
16 | diff --git a/src/wispr.c b/src/wispr.c | ||
17 | index bde7e63b..84bed33f 100644 | ||
18 | --- a/src/wispr.c | ||
19 | +++ b/src/wispr.c | ||
20 | @@ -105,8 +105,6 @@ static bool enable_online_to_ready_transition = false; | ||
21 | |||
22 | static void connman_wispr_message_init(struct connman_wispr_message *msg) | ||
23 | { | ||
24 | - DBG(""); | ||
25 | - | ||
26 | msg->has_error = false; | ||
27 | msg->current_element = NULL; | ||
28 | |||
29 | @@ -166,8 +164,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context) | ||
30 | static void free_connman_wispr_portal_context( | ||
31 | struct connman_wispr_portal_context *wp_context) | ||
32 | { | ||
33 | - DBG("context %p", wp_context); | ||
34 | - | ||
35 | if (wp_context->wispr_portal) { | ||
36 | if (wp_context->wispr_portal->ipv4_context == wp_context) | ||
37 | wp_context->wispr_portal->ipv4_context = NULL; | ||
38 | @@ -483,9 +479,6 @@ static void portal_manage_status(GWebResult *result, | ||
39 | &str)) | ||
40 | connman_info("Client-Timezone: %s", str); | ||
41 | |||
42 | - if (!enable_online_to_ready_transition) | ||
43 | - wispr_portal_context_unref(wp_context); | ||
44 | - | ||
45 | __connman_service_ipconfig_indicate_state(service, | ||
46 | CONNMAN_SERVICE_STATE_ONLINE, type); | ||
47 | |||
48 | @@ -546,14 +539,17 @@ static void wispr_portal_request_portal( | ||
49 | { | ||
50 | DBG(""); | ||
51 | |||
52 | + wispr_portal_context_ref(wp_context); | ||
53 | wp_context->request_id = g_web_request_get(wp_context->web, | ||
54 | wp_context->status_url, | ||
55 | wispr_portal_web_result, | ||
56 | wispr_route_request, | ||
57 | wp_context); | ||
58 | |||
59 | - if (wp_context->request_id == 0) | ||
60 | + if (wp_context->request_id == 0) { | ||
61 | wispr_portal_error(wp_context); | ||
62 | + wispr_portal_context_unref(wp_context); | ||
63 | + } | ||
64 | } | ||
65 | |||
66 | static bool wispr_input(const guint8 **data, gsize *length, | ||
67 | @@ -618,13 +614,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service, | ||
68 | return; | ||
69 | |||
70 | if (!authentication_done) { | ||
71 | - wispr_portal_error(wp_context); | ||
72 | free_wispr_routes(wp_context); | ||
73 | + wispr_portal_error(wp_context); | ||
74 | + wispr_portal_context_unref(wp_context); | ||
75 | return; | ||
76 | } | ||
77 | |||
78 | /* Restarting the test */ | ||
79 | __connman_service_wispr_start(service, wp_context->type); | ||
80 | + wispr_portal_context_unref(wp_context); | ||
81 | } | ||
82 | |||
83 | static void wispr_portal_request_wispr_login(struct connman_service *service, | ||
84 | @@ -700,11 +698,13 @@ static bool wispr_manage_message(GWebResult *result, | ||
85 | |||
86 | wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN; | ||
87 | |||
88 | + wispr_portal_context_ref(wp_context); | ||
89 | if (__connman_agent_request_login_input(wp_context->service, | ||
90 | wispr_portal_request_wispr_login, | ||
91 | - wp_context) != -EINPROGRESS) | ||
92 | + wp_context) != -EINPROGRESS) { | ||
93 | wispr_portal_error(wp_context); | ||
94 | - else | ||
95 | + wispr_portal_context_unref(wp_context); | ||
96 | + } else | ||
97 | return true; | ||
98 | |||
99 | break; | ||
100 | @@ -753,6 +753,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
101 | if (length > 0) { | ||
102 | g_web_parser_feed_data(wp_context->wispr_parser, | ||
103 | chunk, length); | ||
104 | + wispr_portal_context_unref(wp_context); | ||
105 | return true; | ||
106 | } | ||
107 | |||
108 | @@ -770,6 +771,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
109 | |||
110 | switch (status) { | ||
111 | case 000: | ||
112 | + wispr_portal_context_ref(wp_context); | ||
113 | __connman_agent_request_browser(wp_context->service, | ||
114 | wispr_portal_browser_reply_cb, | ||
115 | wp_context->status_url, wp_context); | ||
116 | @@ -781,11 +783,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
117 | if (g_web_result_get_header(result, "X-ConnMan-Status", | ||
118 | &str)) { | ||
119 | portal_manage_status(result, wp_context); | ||
120 | + wispr_portal_context_unref(wp_context); | ||
121 | return false; | ||
122 | - } else | ||
123 | + } else { | ||
124 | + wispr_portal_context_ref(wp_context); | ||
125 | __connman_agent_request_browser(wp_context->service, | ||
126 | wispr_portal_browser_reply_cb, | ||
127 | wp_context->redirect_url, wp_context); | ||
128 | + } | ||
129 | |||
130 | break; | ||
131 | case 300: | ||
132 | @@ -798,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
133 | !g_web_result_get_header(result, "Location", | ||
134 | &redirect)) { | ||
135 | |||
136 | + wispr_portal_context_ref(wp_context); | ||
137 | __connman_agent_request_browser(wp_context->service, | ||
138 | wispr_portal_browser_reply_cb, | ||
139 | wp_context->status_url, wp_context); | ||
140 | @@ -808,6 +814,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
141 | |||
142 | wp_context->redirect_url = g_strdup(redirect); | ||
143 | |||
144 | + wispr_portal_context_ref(wp_context); | ||
145 | wp_context->request_id = g_web_request_get(wp_context->web, | ||
146 | redirect, wispr_portal_web_result, | ||
147 | wispr_route_request, wp_context); | ||
148 | @@ -820,6 +827,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
149 | |||
150 | break; | ||
151 | case 505: | ||
152 | + wispr_portal_context_ref(wp_context); | ||
153 | __connman_agent_request_browser(wp_context->service, | ||
154 | wispr_portal_browser_reply_cb, | ||
155 | wp_context->status_url, wp_context); | ||
156 | @@ -832,6 +840,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
157 | wp_context->request_id = 0; | ||
158 | done: | ||
159 | wp_context->wispr_msg.message_type = -1; | ||
160 | + wispr_portal_context_unref(wp_context); | ||
161 | return false; | ||
162 | } | ||
163 | |||
164 | @@ -890,6 +899,7 @@ static void proxy_callback(const char *proxy, void *user_data) | ||
165 | xml_wispr_parser_callback, wp_context); | ||
166 | |||
167 | wispr_portal_request_portal(wp_context); | ||
168 | + wispr_portal_context_unref(wp_context); | ||
169 | } | ||
170 | |||
171 | static gboolean no_proxy_callback(gpointer user_data) | ||
172 | -- | ||
173 | cgit | ||
174 | |||
diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.42.bb index d8ac1f5cde..c2fcd617ae 100644 --- a/meta/recipes-connectivity/connman/connman_1.41.bb +++ b/meta/recipes-connectivity/connman/connman_1.42.bb | |||
@@ -5,16 +5,12 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ | |||
5 | file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \ | 5 | file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \ |
6 | file://connman \ | 6 | file://connman \ |
7 | file://no-version-scripts.patch \ | 7 | file://no-version-scripts.patch \ |
8 | file://CVE-2022-32293_p1.patch \ | ||
9 | file://CVE-2022-32293_p2.patch \ | ||
10 | file://CVE-2022-32292.patch \ | ||
11 | file://0001-gdhcp-Verify-and-sanitize-packet-length-first.patch \ | ||
12 | file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \ | 8 | file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \ |
13 | " | 9 | " |
14 | 10 | ||
15 | SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" | 11 | SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" |
16 | 12 | ||
17 | SRC_URI[sha256sum] = "79fb40f4fdd5530c45aa8e592fb16ba23d3674f3a98cf10b89a6576f198de589" | 13 | SRC_URI[sha256sum] = "a3e6bae46fc081ef2e9dae3caa4f7649de892c3de622c20283ac0ca81423c2aa" |
18 | 14 | ||
19 | RRECOMMENDS:${PN} = "connman-conf" | 15 | RRECOMMENDS:${PN} = "connman-conf" |
20 | RCONFLICTS:${PN} = "networkmanager" | 16 | RCONFLICTS:${PN} = "networkmanager" |