From 5f35f869119cb64a3f9ebb8972e901f3fd6f2807 Mon Sep 17 00:00:00 2001 From: Nishant Chaprana Date: Tue, 4 Aug 2020 18:15:24 +0530 Subject: [PATCH] Use ref counting for network during SignalPoll method call of wpa_supplicant. Description: This patch fixes the issue in which dangling network pointer is present as user_data of signalpoll_callback. This dangling pointer crashes connman with below backtrace:- >>> bt \#0 connman_device_get_ident (device=0x6e6f632f) at src/device.c:592 \#1 0xb6f54994 in __connman_network_get_ident (network=network@entry=0xb87715b0) at src/network.c:1560 \#2 0xb6f652da in connman_service_lookup_from_network (network=network@entry=0xb87715b0) at src/service.c:10177 \#3 0xb6f655ee in __connman_service_notify_strength_changed (network=network@entry=0xb87715b0) at src/service.c:10523 \#4 0xb6f5527c in connman_network_set_strength (network=network@entry=0xb87715b0, strength=strength@entry=69 'E') at src/network.c:2704 \#5 0xb6f36ac0 in signalpoll_callback (result=, maxspeed=39, strength=69, user_data=0xb87715b0) at plugins/wifi.c:3866 \#6 0xb6f3b68e in interface_signalpoll_result (error=, iter=, user_data=0xb8782af8) at gsupplicant/supplicant.c:6348 \#7 0xb6f4335a in method_call_reply (call=0xb8771ec0, user_data=0xb8782c98) at gsupplicant/dbus.c:476 \#8 0xb6da23a4 in ?? () from /lib/libdbus-1.so.3 \#9 0xb6da5fa0 in dbus_connection_dispatch () from /lib/libdbus-1.so.3 \#10 0xb6f94dce in message_dispatch (data=0xb875fe78) at gdbus/mainloop.c:72 \#11 0xb6e21d84 in g_main_context_dispatch () from /lib/libglib-2.0.so.0 \#12 0xb6e22008 in ?? () from /lib/libglib-2.0.so.0 \#13 0xb6e22268 in g_main_loop_run () from /lib/libglib-2.0.so.0 \#14 0xb6f29d3e in main (argc=, argv=) at src/main.c:1373 Change-Id: Ia171c2ddabf6a4f9c3d6a6bbd3763398b6e0ce46 Signed-off-by: Nishant Chaprana --- packaging/connman.spec | 2 +- plugins/wifi.c | 15 ++++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/packaging/connman.spec b/packaging/connman.spec index 275161f..ff83e10 100644 --- a/packaging/connman.spec +++ b/packaging/connman.spec @@ -5,7 +5,7 @@ Name: connman Version: 1.37 -Release: 42 +Release: 43 License: GPL-2.0+ Summary: Connection Manager Url: http://connman.net diff --git a/plugins/wifi.c b/plugins/wifi.c index 2f70ee7..d998967 100755 --- a/plugins/wifi.c +++ b/plugins/wifi.c @@ -3854,6 +3854,7 @@ static void signalpoll_callback(int result, int maxspeed, int strength, if (result != 0) { DBG("Failed to get maxspeed from signalpoll !"); + connman_network_unref(network); return; } @@ -3862,11 +3863,12 @@ static void signalpoll_callback(int result, int maxspeed, int strength, strength = 100; DBG("maxspeed = %d, strength = %d", maxspeed, strength); - if (network) { - connman_network_set_strength(network, (uint8_t)strength); - connman_network_set_maxspeed(network, maxspeed); - set_connection_mode(network, maxspeed); - } + + connman_network_set_strength(network, (uint8_t)strength); + connman_network_set_maxspeed(network, maxspeed); + set_connection_mode(network, maxspeed); + + connman_network_unref(network); } static int network_signalpoll(struct wifi_data *wifi) @@ -3877,6 +3879,8 @@ static int network_signalpoll(struct wifi_data *wifi) if (!wifi || !wifi->network) return -ENODEV; + wifi->network = connman_network_ref(wifi->network); + interface = wifi->interface; network = wifi->network; @@ -3898,6 +3902,7 @@ static gboolean autosignalpoll_timeout(gpointer data) if (ret < 0) { DBG("Fail to get max speed !!"); wifi->automaxspeed_timeout = 0; + connman_network_unref(wifi->network); return FALSE; } -- 2.7.4