From: Saurav Babu <saurav.babu@samsung.com>
Date: Wed, 30 May 2018 07:06:40 +0000 (+0530)
Subject: gsupplicant: Fixed invalid read issue
X-Git-Tag: accepted/tizen/unified/20180612.044159~2
X-Git-Url: http://review.tizen.org/git/?p=platform%2Fupstream%2Fconnman.git;a=commitdiff_plain;h=522b6f5340a56e3431cb5aa82fef864aa45a7a32

gsupplicant: Fixed invalid read issue

==1071== Invalid read of size 4
==1071==    at 0x48DBB00: g_slist_length (gslist.c:856)
==1071==    by 0x12A3C7: add_or_replace_bss_to_network (supplicant.c:1930)
==1071==    by 0x12BB4D: signal_bss_changed (supplicant.c:3194)
==1071==    by 0x12AFD1: g_supplicant_filter (supplicant.c:4038)
==1071==    by 0x4998A17: dbus_connection_dispatch (dbus-connection.c:4808)
==1071==    by 0x18E931: message_dispatch (mainloop.c:76)
==1071==    by 0x48BB8E7: g_main_dispatch (gmain.c:3234)
==1071==    by 0x48BB8E7: g_main_context_dispatch (gmain.c:3887)
==1071==    by 0x48BBC77: g_main_context_iterate.isra.30 (gmain.c:3960)
==1071==    by 0x48BBFD7: g_main_loop_run (gmain.c:4156)
==1071==    by 0x119389: main (main.c:851)
==1071==  Address 0x4e800a4 is 4 bytes inside a block of size 8 free'd
==1071==    at 0x4846EC8: free (vg_replace_malloc.c:530)
==1071==    by 0x48DB10F: g_slice_free_chain_with_offset (gslice.c:1232)
==1071==    by 0x12A03F: remove_bss (supplicant.c:841)
==1071==    by 0x48A858F: g_hash_table_remove_all_nodes.part.0 (ghash.c:548)
==1071==    by 0x48A95B7: g_hash_table_remove_all_nodes (ghash.c:1428)
==1071==    by 0x48A95B7: g_hash_table_remove_all (ghash.c:1431)
==1071==    by 0x48A964B: g_hash_table_destroy (ghash.c:1124)
==1071==    by 0x12A8E5: remove_network (supplicant.c:814)
==1071==    by 0x48A8A3F: g_hash_table_remove_internal (ghash.c:1360)
==1071==    by 0x12BB47: signal_bss_changed (supplicant.c:3192)
==1071==    by 0x12AFD1: g_supplicant_filter (supplicant.c:4038)
==1071==    by 0x4998A17: dbus_connection_dispatch (dbus-connection.c:4808)
==1071==    by 0x18E931: message_dispatch (mainloop.c:76)
==1071==  Block was alloc'd at
==1071==    at 0x48458A4: malloc (vg_replace_malloc.c:299)
==1071==    by 0x48C11B3: g_malloc (gmem.c:94)
==1071==    by 0x48DA4A3: g_slice_alloc (gslice.c:1025)
==1071==    by 0x48DB4AF: g_slist_prepend (gslist.c:254)
==1071==    by 0x12C7D7: bss_process_ies (supplicant.c:2176)
==1071==    by 0x12C7D7: bss_property (supplicant.c:2388)
==1071==    by 0x1301FF: supplicant_dbus_property_foreach (dbus.c:145)
==1071==    by 0x1302A1: property_get_all_reply (dbus.c:184)
==1071==    by 0x498FABB: complete_pending_call_and_unlock (dbus-connection.c:2340)
==1071==    by 0x49981BF: dbus_connection_dispatch (dbus-connection.c:4757)
==1071==    by 0x18E931: message_dispatch (mainloop.c:76)
==1071==    by 0x48BB8E7: g_main_dispatch (gmain.c:3234)
==1071==    by 0x48BB8E7: g_main_context_dispatch (gmain.c:3887)
==1071==    by 0x48BBC77: g_main_context_iterate.isra.30 (gmain.c:3960)

==1679== Invalid read of size 4
==1679==    at 0x484D358: memmove (vg_replace_strmem.c:1258)
==1679==    by 0x49D8307: memmove (string3.h:59)
==1679==    by 0x49D8307: copy.isra.3 (dbus-string.c:1219)
==1679==    by 0x49D209F: marshal_1_octets_array (dbus-marshal-basic.c:868)
==1679==    by 0x49D209F: _dbus_marshal_write_fixed_multi (dbus-marshal-basic.c:1041)
==1679==    by 0x49A4A3B: _dbus_type_writer_write_fixed_multi (dbus-marshal-recursive.c:2681)
==1679==    by 0x13088D: supplicant_dbus_property_append_fixed_array (dbus.c:611)
==1679==    by 0x12E775: supplicant_dbus_dict_append_fixed_array (dbus.h:121)
==1679==    by 0x12E775: interface_add_network_params (supplicant.c:5518)
==1679==    by 0x1306FB: supplicant_dbus_method_call (dbus.c:515)
==1679==    by 0x12AF05: decryption_request_reply (supplicant.c:5713)
==1679==    by 0x498FABB: complete_pending_call_and_unlock (dbus-connection.c:2340)
==1679==    by 0x49981BF: dbus_connection_dispatch (dbus-connection.c:4757)
==1679==    by 0x18E931: message_dispatch (mainloop.c:76)
==1679==    by 0x48BB8E7: g_main_dispatch (gmain.c:3234)
==1679==    by 0x48BB8E7: g_main_context_dispatch (gmain.c:3887)

Change-Id: I53652b06891fa8465e9dd425f425210ebc67ee9f
Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
---

diff --git a/gsupplicant/gsupplicant.h b/gsupplicant/gsupplicant.h
index b0984b8..648ee57 100755
--- a/gsupplicant/gsupplicant.h
+++ b/gsupplicant/gsupplicant.h
@@ -154,7 +154,11 @@ enum GSupplicantAPHiddenSSID {
 };
 
 struct _GSupplicantSSID {
+#if defined TIZEN_EXT
+	void *ssid;
+#else
 	const void *ssid;
+#endif
 	unsigned int ssid_len;
 	unsigned int scan_ssid;
 	GSupplicantMode mode;
diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
index 5fedf02..c5c83f3 100644
--- a/gsupplicant/supplicant.c
+++ b/gsupplicant/supplicant.c
@@ -3187,6 +3187,9 @@ static void signal_bss_changed(const char *path, DBusMessageIter *iter)
 
 		memcpy(new_bss, bss, sizeof(struct g_supplicant_bss));
 		new_bss->path = g_strdup(bss->path);
+#if defined TIZEN_EXT
+		new_bss->vsie_list = NULL;
+#endif
 
 		g_hash_table_remove(interface->network_table, network->group);
 
@@ -4876,6 +4879,9 @@ static void interface_select_network_result(const char *error,
 	if (data->callback)
 		data->callback(err, data->interface, data->user_data);
 
+#if defined TIZEN_EXT
+	g_free(data->ssid->ssid);
+#endif
 	g_free(data->ssid);
 	dbus_free(data);
 }
@@ -4961,6 +4967,9 @@ error:
 	}
 
 	g_free(data->path);
+#if defined TIZEN_EXT
+	g_free(data->ssid->ssid);
+#endif
 	g_free(data->ssid);
 	g_free(data);
 }
@@ -5716,6 +5725,9 @@ done:
 		SUPPLICANT_DBG("AddNetwork failed %d", ret);
 		callback_assoc_failed(decrypt_request_data.data->user_data);
 		g_free(data->path);
+#if defined TIZEN_EXT
+		g_free(data->ssid->ssid);
+#endif
 		g_free(data->ssid);
 		dbus_free(data);
 	}
diff --git a/plugins/wifi.c b/plugins/wifi.c
index c471acc..6103dc8 100755
--- a/plugins/wifi.c
+++ b/plugins/wifi.c
@@ -2509,11 +2509,21 @@ static GSupplicantEapKeymgmt network_eap_keymgmt(const char *security)
 static void ssid_init(GSupplicantSSID *ssid, struct connman_network *network)
 {
 	const char *security;
+#if defined TIZEN_EXT
+	const void *ssid_data;
+#endif
 
 	memset(ssid, 0, sizeof(*ssid));
 	ssid->mode = G_SUPPLICANT_MODE_INFRA;
+#if defined TIZEN_EXT
+	ssid_data = connman_network_get_blob(network, "WiFi.SSID",
+						&ssid->ssid_len);
+	ssid->ssid = g_try_malloc0(ssid->ssid_len);
+	memcpy(ssid->ssid, ssid_data, ssid->ssid_len);
+#else
 	ssid->ssid = connman_network_get_blob(network, "WiFi.SSID",
 						&ssid->ssid_len);
+#endif
 	ssid->scan_ssid = 1;
 	security = connman_network_get_string(network, "WiFi.Security");
 	ssid->security = network_security(security);
@@ -2614,6 +2624,9 @@ static int network_connect(struct connman_network *network)
 
 	if (wifi->disconnecting) {
 		wifi->pending_network = network;
+#if defined TIZEN_EXT
+		g_free(ssid->ssid);
+#endif
 		g_free(ssid);
 	} else {
 		wifi->network = connman_network_ref(network);
@@ -4038,7 +4051,11 @@ static GSupplicantSSID *ssid_ap_init(const char *ssid,
 		return NULL;
 
 	ap->mode = G_SUPPLICANT_MODE_MASTER;
+#if defined TIZEN_EXT
+	ap->ssid = (void *) ssid;
+#else
 	ap->ssid = ssid;
+#endif
 	ap->ssid_len = strlen(ssid);
 	ap->scan_ssid = 0;
 	ap->freq = 2412;