From patchwork Tue Apr 3 21:55:48 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Chinchilla, Angie V" X-Patchwork-Id: 150556 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from maxx.maxx.shmoo.com (maxx.shmoo.com [205.134.188.171]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "maxx.shmoo.com", Issuer "CA Cert Signing Authority" (not verified)) by ozlabs.org (Postfix) with ESMTPS id 7AB66B6FEC for ; Wed, 4 Apr 2012 07:58:54 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id 157639D25C; Tue, 3 Apr 2012 17:58:52 -0400 (EDT) X-Virus-Scanned: amavisd-new at maxx.shmoo.com Received: from maxx.maxx.shmoo.com ([127.0.0.1]) by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nrpC+mDwQ9hI; Tue, 3 Apr 2012 17:58:51 -0400 (EDT) Received: from maxx.shmoo.com (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id EF29C9D26E; Tue, 3 Apr 2012 17:58:47 -0400 (EDT) X-Original-To: mailman-post+hostap@maxx.shmoo.com Delivered-To: mailman-post+hostap@maxx.shmoo.com Received: from localhost (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id 9B1D09D26E for ; Tue, 3 Apr 2012 17:58:46 -0400 (EDT) X-Virus-Scanned: amavisd-new at maxx.shmoo.com Received: from maxx.maxx.shmoo.com ([127.0.0.1]) by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id auM7rWGuS4B9 for ; Tue, 3 Apr 2012 17:58:41 -0400 (EDT) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id 615869D25C for ; Tue, 3 Apr 2012 17:58:41 -0400 (EDT) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga101.fm.intel.com with ESMTP; 03 Apr 2012 14:58:23 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="4.71,315,1320652800"; d="scan'208";a="149308338" Received: from tester-laptop-1.hf.intel.com (HELO localhost.localdomain) ([10.10.69.67]) by fmsmga002.fm.intel.com with ESMTP; 03 Apr 2012 14:58:23 -0700 From: Angie Chinchilla To: hostap@lists.shmoo.com Subject: [PATCH] P2P: Fix crash for failure case when WSC PIN is entered incorrectly. Date: Tue, 3 Apr 2012 14:55:48 -0700 Message-Id: <1333490148-14294-1-git-send-email-angie.v.chinchilla@intel.com> X-Mailer: git-send-email 1.7.0.4 X-BeenThere: hostap@lists.shmoo.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: HostAP Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: hostap-bounces@lists.shmoo.com Errors-To: hostap-bounces@lists.shmoo.com When forming a P2P group using WSC PIN method, if the pin is entered incorrectly the P2P client supplicant instance will crash as a result of cleanup happening on data that is still in use. For example, here is the path for the first crash: eap_wsc_process(): - creates struct wpabuf tmpbuf; on the stack - sets data->in_buf = &tmpbuf; - calls wps_process_msg() - which calls wps_process_wsc_msg() - which, in case WPS_M4: calls wps_fail_event() - which calls wps->event_cb() - wps->event_cb = wpa_supplicant_wps_event() - wpa_supplicant_wps_event() - wpa_supplicant_wps_event_fail() - which calls wpas_clear_wps() - which calls wpas_notify_network_removed() - which calls wpas_p2p_network_removed() - which calls wpas_p2p_group_formation_timeout() - which calls wpas_group_formation_completed() - which calls wpas_p2p_group_delete() - which calls wpa_supplicant_remove_iface() - which calls wpa_supplicant_deinit_iface() - which calls wpa_supplicant_cleanup() - which calls eapol_sm_deinit() - ... which eventually uses the ptr data->in_buf to free tmpbuf, our stack variable and then the supplicant crashes If you fix this crash, you'll hit another. Fix it and then a segfault. The way we're cleaning up and deleting data from under ourselves here just isn't safe, so make the teardown portion of this async. Signed-hostap: Angie Chinchilla Signed-hostap: Nirav Shah intended-for: hostap-1 --- wpa_supplicant/p2p_supplicant.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c index 413d0b2..47a0994 100644 --- a/wpa_supplicant/p2p_supplicant.c +++ b/wpa_supplicant/p2p_supplicant.c @@ -4488,14 +4488,22 @@ int wpas_p2p_in_progress(struct wpa_supplicant *wpa_s) void wpas_p2p_network_removed(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) - { if (wpa_s->p2p_in_provisioning && ssid->p2p_group && eloop_cancel_timeout(wpas_p2p_group_formation_timeout, wpa_s->parent, NULL) > 0) { + /** + * Remove the network by scheduling the group formation + * timeout to happen immediately. The teardown code + * needs to be scheduled to run asynch later so that we + * don't delete data from under ourselves unexpectedly. + * Calling wpas_p2p_group_formation_timeout directly + * causes a series of crashes in WPS failure scenarios. + */ wpa_printf(MSG_DEBUG, "P2P: Canceled group formation due to " "P2P group network getting removed"); - wpas_p2p_group_formation_timeout(wpa_s->parent, NULL); + eloop_register_timeout(0, 0, wpas_p2p_group_formation_timeout, + wpa_s->parent, NULL); } }