rpms / wpa_supplicant

Clone
Source Code
GIT

Blame SOURCES/rh1440646-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   8bd3b2205e8ddc6c9128ba901cfb5f8f6072842c
  2.   SOURCES
  3.   rh1440646-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch
Blob History Raw
6c9f0c 
From 5db86df6a849684fda6a7ee53978a1ba931848cb Mon Sep 17 00:00:00 2001
6c9f0c 
Message-Id: <5db86df6a849684fda6a7ee53978a1ba931848cb.1495014490.git.davide.caratti@gmail.com>
6c9f0c 
From: Davide Caratti <davide.caratti@gmail.com>
6c9f0c 
Date: Fri, 24 Mar 2017 10:25:24 +0100
6c9f0c 
Subject: [PATCH] macsec_linux: Fix NULL pointer dereference on error cases
6c9f0c
6c9f0c 
In case wpa_supplicant is using driver_macsec_linux, but macsec module
6c9f0c 
is not (yet) loaded in the kernel, nl_socket_alloc() fails and drv->sk
6c9f0c 
is NULL. In this case, don't call libnl functions rntl_link_add() or
6c9f0c 
rtnl_link_change() using such NULL pointer, to prevent program from
6c9f0c 
getting segmentation faults like:
6c9f0c
6c9f0c 
 Program received signal SIGSEGV, Segmentation fault.
6c9f0c 
 nl_socket_get_local_port (sk=sk@entry=0x0) at socket.c:365
6c9f0c 
 365             if (sk->s_local.nl_pid == 0) {
6c9f0c 
 (gdb) p sk
6c9f0c 
 $1 = (const struct nl_sock *) 0x0
6c9f0c 
 (gdb) bt
6c9f0c 
 #0  nl_socket_get_local_port (sk=sk@entry=0x0) at socket.c:365
6c9f0c 
 #1  0x00007ffff79c56a0 in nl_complete_msg (sk=sk@entry=0x0,
6c9f0c 
  msg=msg@entry=0x55555595a1f0) at nl.c:491
6c9f0c 
 #2  0x00007ffff79c56d1 in nl_send_auto (sk=sk@entry=0x0,
6c9f0c 
  msg=msg@entry=0x55555595a1f0) at nl.c:522
6c9f0c 
 #3  0x00007ffff79c652f in nl_send_sync (sk=sk@entry=0x0,
6c9f0c 
  msg=0x55555595a1f0) at nl.c:556
6c9f0c 
 #4  0x00007ffff755faf5 in rtnl_link_add (sk=0x0,
6c9f0c 
  link=link@entry=0x55555595b0f0, flags=flags@entry=1024) at route/link.c:1548
6c9f0c 
 #5  0x000055555567a298 in macsec_drv_create_transmit_sc (priv=0x55555593b130,
6c9f0c 
  sc=0x55555593b320, conf_offset=<optimized out>) at ../src/drivers/driver_macsec_linux.c:998
6c9f0c
6c9f0c 
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
6c9f0c 
---
6c9f0c 
 src/drivers/driver_macsec_linux.c | 11 +++++++++++
6c9f0c 
 1 file changed, 11 insertions(+)
6c9f0c
6c9f0c 
diff --git a/src/drivers/driver_macsec_linux.c b/src/drivers/driver_macsec_linux.c
6c9f0c 
index 5dab77a..0694e60 100644
6c9f0c 
--- a/src/drivers/driver_macsec_linux.c
6c9f0c 
+++ b/src/drivers/driver_macsec_linux.c
6c9f0c 
@@ -168,6 +168,9 @@ static int try_commit(struct macsec_drv_data *drv)
6c9f0c 
 {
6c9f0c 
 	int err;
6c9f0c
6c9f0c 
+	if (!drv->sk)
6c9f0c 
+		return 0;
6c9f0c 
+
6c9f0c 
 	if (!drv->link)
6c9f0c 
 		return 0;
6c9f0c
6c9f0c 
@@ -982,6 +985,11 @@ static int macsec_drv_create_transmit_sc(
6c9f0c
6c9f0c 
 	wpa_printf(MSG_DEBUG, "%s", __func__);
6c9f0c
6c9f0c 
+	if (!drv->sk) {
6c9f0c 
+		wpa_printf(MSG_ERROR, DRV_PREFIX "NULL rtnl socket");
6c9f0c 
+		return -1;
6c9f0c 
+	}
6c9f0c 
+
6c9f0c 
 	link = rtnl_link_macsec_alloc();
6c9f0c 
 	if (!link) {
6c9f0c 
 		wpa_printf(MSG_ERROR, DRV_PREFIX "couldn't allocate link");
6c9f0c 
@@ -1048,6 +1056,9 @@ static int macsec_drv_delete_transmit_sc(void *priv, struct transmit_sc *sc)
6c9f0c
6c9f0c 
 	wpa_printf(MSG_DEBUG, "%s", __func__);
6c9f0c
6c9f0c 
+	if (!drv->sk)
6c9f0c 
+		return 0;
6c9f0c 
+
6c9f0c 
 	if (!drv->created_link) {
6c9f0c 
 		rtnl_link_put(drv->link);
6c9f0c 
 		drv->link = NULL;
6c9f0c 
--
6c9f0c 
2.7.4
6c9f0c

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation