path: root/gsupplicant
diff options
authorPatrik Flykt <>2014-08-01 10:41:11 (GMT)
committerPatrik Flykt <>2014-08-04 08:41:33 (GMT)
commitaacafde8a0a9cf0b0cc7e0513e0952d3ae12b4f6 (patch)
treea9a2ee9ec2e1b1568e7287b8707387485bb5e366 /gsupplicant
parent5a2da7563f42f4634c8b56c9ccefc6f013e83d4c (diff)
supplicant: Return -ECANCELED when error message iterator is NULL
In normal cases when an error reply is received from wpa_supplicant, the code uses a DBusMessageIter struct from the stack and initializes it to point to the error return message in gsupplicant/dbus.c, method_call_reply(). When passed to parse_supplicant_error(), the iterator is valid, but contains no data and everything works fine. When a gsupplicant pending call is cancelled by ConnMan, the cancellation code will call the callback instead with a NULL iterator. Explicitely catch this NULL iterator and return the default -ECANCELED to the caller instead of relying on the specific way the dbus library was compiled - either detecting NULL pointers or just plainly crashing. The fix is based on a very similar one by Richard Röjfors but was made to be even more explicit and accompanied by a longer explanation. The issue is shown with the following trace: 0 0xb6c24144 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 1 0xb6c27c0c in __GI_abort () at abort.c:89 2 0xb6e73ca8 in _dbus_abort () at /work/my-arch/dbus/1.6.18-r0/dbus-1.6.18/dbus/dbus-sysdeps.c:94 3 0xb6e6b1b8 in _dbus_warn_check_failed (format=0xb6e77d44 "dbus message iterator is NULL\n") at /work/my-arch/dbus/1.6.18-r0/dbus-1.6.18/dbus/dbus-internals.c:290 4 0xb6e5a728 in _dbus_message_iter_check (iter=0x0) at /work/my-arch/dbus/1.6.18-r0/dbus-1.6.18/dbus/dbus-message.c:727 5 0xb6e5b734 in dbus_message_iter_get_arg_type (iter=iter@entry=0x0) at /work/my-arch/dbus/1.6.18-r0/dbus-1.6.18/dbus/dbus-message.c:2065 6 0x00025398 in parse_supplicant_error (iter=iter@entry=0x0) at gsupplicant/supplicant.c:3799 7 0x00025430 in interface_add_network_result (error=<optimized out>, iter=0x0, user_data=0x175b620) at gsupplicant/supplicant.c:3878 8 0x0002adac in supplicant_dbus_method_call_cancel_all (caller=caller@entry=0x1739d98) at gsupplicant/dbus.c:445 9 0x00029480 in g_supplicant_interface_cancel (interface=interface@entry=0x1739d98) at gsupplicant/supplicant.c:3020 10 0x00029898 in g_supplicant_interface_remove (interface=0x1739d98, callback=callback@entry=0x0, user_data=user_data@entry=0x0) at gsupplicant/supplicant.c:3487 11 0x00020df0 in wifi_disable (device=0x17306b0) at plugins/wifi.c:1134 12 0x0002f94c in __connman_device_disable (device=0x17306b0) at src/device.c:248 13 0x0005d450 in technology_affect_devices (enable_device=<optimized out>, technology=<optimized out>, technology=<optimized out>) at src/technology.c:630 14 0x0005d4d8 in technology_disable (technology=0x1738600) at src/technology.c:780
Diffstat (limited to 'gsupplicant')
1 files changed, 3 insertions, 0 deletions
diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
index d26b6e2..1886a40 100644
--- a/gsupplicant/supplicant.c
+++ b/gsupplicant/supplicant.c
@@ -3792,6 +3792,9 @@ static int parse_supplicant_error(DBusMessageIter *iter)
int err = -ECANCELED;
char *key;
+ if (!iter)
+ return err;
/* If the given passphrase is malformed wpa_s returns
* "invalid message format" but this error should be interpreted as
* invalid-key.