gsupplicant: fix ASAN issue

Message ID	20241021225738.3057955-1-ram.subramanian@getcruise.com (mailing list archive)
State	Accepted
Commit	6bd975925b22ca6dca27b6eeac652ddc9f1165a1
Headers	show Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0DC8D1FDFA7 for <connman@lists.linux.dev>; Mon, 21 Oct 2024 22:58:02 +0000 (UTC) From: Ram Subramanian <ram.subramanian@getcruise.com> To: connman@lists.linux.dev Cc: Ram Subramanian <ram.subramanian@getcruise.com>, Chris Johnson <chris.johnson@getcruise.com> Subject: [PATCH] gsupplicant: fix ASAN issue Date: Mon, 21 Oct 2024 15:57:38 -0700 Message-ID: <20241021225738.3057955-1-ram.subramanian@getcruise.com> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII"
Series	gsupplicant: fix ASAN issue \| expand gsupplicant: fix ASAN issue

Message ID

20241021225738.3057955-1-ram.subramanian@getcruise.com (mailing list archive)

State

Accepted

Commit

6bd975925b22ca6dca27b6eeac652ddc9f1165a1

Headers

From: Ram Subramanian <ram.subramanian@getcruise.com>
To: connman@lists.linux.dev
Cc: Ram Subramanian <ram.subramanian@getcruise.com>,
	Chris Johnson <chris.johnson@getcruise.com>
Subject: [PATCH] gsupplicant: fix ASAN issue
Date: Mon, 21 Oct 2024 15:57:38 -0700
Message-ID: <20241021225738.3057955-1-ram.subramanian@getcruise.com>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"

Series

gsupplicant: fix ASAN issue | expand

Commit Message

Ram Subramanian Oct. 21, 2024, 10:57 p.m. UTC

The problem is `bss` and `bss->path` can be used after being freed, in
this line:

  g_hash_table_replace(bss_mapping, bss->path, interface);

This is because the following call:

  g_hash_table_replace(network->bss_table, ...)

could call remove_bss(), which will free both `bss->path` and `bss`.

So this commit switches the order of these statements.

Additionally, change `g_hash_table_replace` to `g_hash_table_insert`. We
already checked that `network->group` doesn't exist in
`interface->network_table` at this point.

Co-Authored-By: Chris Johnson <chris.johnson@getcruise.com>
---
 gsupplicant/supplicant.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

Comments

patchwork-bot+connman@kernel.org Oct. 24, 2024, 8:30 a.m. UTC | #1

Hello:

This patch was applied to connman.git (master)
by Marcel Holtmann <marcel@holtmann.org>:

On Mon, 21 Oct 2024 15:57:38 -0700 you wrote:
> The problem is `bss` and `bss->path` can be used after being freed, in
> this line:
> 
>   g_hash_table_replace(bss_mapping, bss->path, interface);
> 
> This is because the following call:
> 
> [...]

Here is the summary with links:
  - gsupplicant: fix ASAN issue
    https://git.kernel.org/pub/scm/network/connman/connman.git/?id=6bd975925b22

You are awesome, thank you!

diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
index 1b92ec44..f3be9e7b 100644
--- a/gsupplicant/supplicant.c
+++ b/gsupplicant/supplicant.c
@@ -1708,7 +1708,7 @@  static int add_or_replace_bss_to_network(struct g_supplicant_bss *bss)
 	network->config_table = g_hash_table_new_full(g_str_hash, g_str_equal,
 							g_free, g_free);
 
-	g_hash_table_replace(interface->network_table,
+	g_hash_table_insert(interface->network_table,
 						network->group, network);
 
 	callback_network_added(network);
@@ -1735,9 +1735,8 @@  done:
 	}
 
 	g_hash_table_replace(interface->bss_mapping, bss->path, network);
-	g_hash_table_replace(network->bss_table, bss->path, bss);
-
 	g_hash_table_replace(bss_mapping, bss->path, interface);
+	g_hash_table_replace(network->bss_table, bss->path, bss);
 
 	return 0;
 }

gsupplicant: fix ASAN issue

Commit Message

Comments

Patch