diff options
Diffstat (limited to 'meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch')
-rw-r--r-- | meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch | 174 |
1 files changed, 174 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch new file mode 100644 index 0000000000..56f8fc82de --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch | |||
@@ -0,0 +1,174 @@ | |||
1 | From 416bfaff988882c553c672e5bfc2d4f648d29e8a Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Wagner <wagi@monom.org> | ||
3 | Date: Tue, 5 Jul 2022 09:11:09 +0200 | ||
4 | Subject: wispr: Update portal context references | ||
5 | |||
6 | Maintain proper portal context references to avoid UAF. | ||
7 | |||
8 | Fixes: CVE-2022-32293 | ||
9 | CVE: CVE-2022-32293 | ||
10 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c] | ||
11 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
12 | --- | ||
13 | src/wispr.c | 34 ++++++++++++++++++++++------------ | ||
14 | 1 file changed, 22 insertions(+), 12 deletions(-) | ||
15 | |||
16 | diff --git a/src/wispr.c b/src/wispr.c | ||
17 | index bde7e63b..84bed33f 100644 | ||
18 | --- a/src/wispr.c | ||
19 | +++ b/src/wispr.c | ||
20 | @@ -105,8 +105,6 @@ static bool enable_online_to_ready_transition = false; | ||
21 | |||
22 | static void connman_wispr_message_init(struct connman_wispr_message *msg) | ||
23 | { | ||
24 | - DBG(""); | ||
25 | - | ||
26 | msg->has_error = false; | ||
27 | msg->current_element = NULL; | ||
28 | |||
29 | @@ -166,8 +164,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context) | ||
30 | static void free_connman_wispr_portal_context( | ||
31 | struct connman_wispr_portal_context *wp_context) | ||
32 | { | ||
33 | - DBG("context %p", wp_context); | ||
34 | - | ||
35 | if (wp_context->wispr_portal) { | ||
36 | if (wp_context->wispr_portal->ipv4_context == wp_context) | ||
37 | wp_context->wispr_portal->ipv4_context = NULL; | ||
38 | @@ -483,9 +479,6 @@ static void portal_manage_status(GWebResult *result, | ||
39 | &str)) | ||
40 | connman_info("Client-Timezone: %s", str); | ||
41 | |||
42 | - if (!enable_online_to_ready_transition) | ||
43 | - wispr_portal_context_unref(wp_context); | ||
44 | - | ||
45 | __connman_service_ipconfig_indicate_state(service, | ||
46 | CONNMAN_SERVICE_STATE_ONLINE, type); | ||
47 | |||
48 | @@ -546,14 +539,17 @@ static void wispr_portal_request_portal( | ||
49 | { | ||
50 | DBG(""); | ||
51 | |||
52 | + wispr_portal_context_ref(wp_context); | ||
53 | wp_context->request_id = g_web_request_get(wp_context->web, | ||
54 | wp_context->status_url, | ||
55 | wispr_portal_web_result, | ||
56 | wispr_route_request, | ||
57 | wp_context); | ||
58 | |||
59 | - if (wp_context->request_id == 0) | ||
60 | + if (wp_context->request_id == 0) { | ||
61 | wispr_portal_error(wp_context); | ||
62 | + wispr_portal_context_unref(wp_context); | ||
63 | + } | ||
64 | } | ||
65 | |||
66 | static bool wispr_input(const guint8 **data, gsize *length, | ||
67 | @@ -618,13 +614,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service, | ||
68 | return; | ||
69 | |||
70 | if (!authentication_done) { | ||
71 | - wispr_portal_error(wp_context); | ||
72 | free_wispr_routes(wp_context); | ||
73 | + wispr_portal_error(wp_context); | ||
74 | + wispr_portal_context_unref(wp_context); | ||
75 | return; | ||
76 | } | ||
77 | |||
78 | /* Restarting the test */ | ||
79 | __connman_service_wispr_start(service, wp_context->type); | ||
80 | + wispr_portal_context_unref(wp_context); | ||
81 | } | ||
82 | |||
83 | static void wispr_portal_request_wispr_login(struct connman_service *service, | ||
84 | @@ -700,11 +698,13 @@ static bool wispr_manage_message(GWebResult *result, | ||
85 | |||
86 | wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN; | ||
87 | |||
88 | + wispr_portal_context_ref(wp_context); | ||
89 | if (__connman_agent_request_login_input(wp_context->service, | ||
90 | wispr_portal_request_wispr_login, | ||
91 | - wp_context) != -EINPROGRESS) | ||
92 | + wp_context) != -EINPROGRESS) { | ||
93 | wispr_portal_error(wp_context); | ||
94 | - else | ||
95 | + wispr_portal_context_unref(wp_context); | ||
96 | + } else | ||
97 | return true; | ||
98 | |||
99 | break; | ||
100 | @@ -753,6 +753,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
101 | if (length > 0) { | ||
102 | g_web_parser_feed_data(wp_context->wispr_parser, | ||
103 | chunk, length); | ||
104 | + wispr_portal_context_unref(wp_context); | ||
105 | return true; | ||
106 | } | ||
107 | |||
108 | @@ -770,6 +771,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
109 | |||
110 | switch (status) { | ||
111 | case 000: | ||
112 | + wispr_portal_context_ref(wp_context); | ||
113 | __connman_agent_request_browser(wp_context->service, | ||
114 | wispr_portal_browser_reply_cb, | ||
115 | wp_context->status_url, wp_context); | ||
116 | @@ -781,11 +783,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
117 | if (g_web_result_get_header(result, "X-ConnMan-Status", | ||
118 | &str)) { | ||
119 | portal_manage_status(result, wp_context); | ||
120 | + wispr_portal_context_unref(wp_context); | ||
121 | return false; | ||
122 | - } else | ||
123 | + } else { | ||
124 | + wispr_portal_context_ref(wp_context); | ||
125 | __connman_agent_request_browser(wp_context->service, | ||
126 | wispr_portal_browser_reply_cb, | ||
127 | wp_context->redirect_url, wp_context); | ||
128 | + } | ||
129 | |||
130 | break; | ||
131 | case 300: | ||
132 | @@ -798,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
133 | !g_web_result_get_header(result, "Location", | ||
134 | &redirect)) { | ||
135 | |||
136 | + wispr_portal_context_ref(wp_context); | ||
137 | __connman_agent_request_browser(wp_context->service, | ||
138 | wispr_portal_browser_reply_cb, | ||
139 | wp_context->status_url, wp_context); | ||
140 | @@ -808,6 +814,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
141 | |||
142 | wp_context->redirect_url = g_strdup(redirect); | ||
143 | |||
144 | + wispr_portal_context_ref(wp_context); | ||
145 | wp_context->request_id = g_web_request_get(wp_context->web, | ||
146 | redirect, wispr_portal_web_result, | ||
147 | wispr_route_request, wp_context); | ||
148 | @@ -820,6 +827,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
149 | |||
150 | break; | ||
151 | case 505: | ||
152 | + wispr_portal_context_ref(wp_context); | ||
153 | __connman_agent_request_browser(wp_context->service, | ||
154 | wispr_portal_browser_reply_cb, | ||
155 | wp_context->status_url, wp_context); | ||
156 | @@ -832,6 +840,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
157 | wp_context->request_id = 0; | ||
158 | done: | ||
159 | wp_context->wispr_msg.message_type = -1; | ||
160 | + wispr_portal_context_unref(wp_context); | ||
161 | return false; | ||
162 | } | ||
163 | |||
164 | @@ -890,6 +899,7 @@ static void proxy_callback(const char *proxy, void *user_data) | ||
165 | xml_wispr_parser_callback, wp_context); | ||
166 | |||
167 | wispr_portal_request_portal(wp_context); | ||
168 | + wispr_portal_context_unref(wp_context); | ||
169 | } | ||
170 | |||
171 | static gboolean no_proxy_callback(gpointer user_data) | ||
172 | -- | ||
173 | cgit | ||
174 | |||