git: a872b8a14f51 - main - security/wpa_supplicant-devel: Fix uninitialized packet pointer on error

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Cy Schubert <cy_at_FreeBSD.org>
Date: Tue, 12 Sep 2023 05:53:08 UTC
The branch main has been updated by cy:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a872b8a14f51721830232b127cc6ac27663a903d

commit a872b8a14f51721830232b127cc6ac27663a903d
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2023-09-12 05:17:05 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2023-09-12 05:51:13 +0000

    security/wpa_supplicant-devel: Fix uninitialized packet pointer on error
    
    The packet pointer (called packet) will remain uninitialized when
    pcap_next_ex() returns an error. This occurs when the wlan
    interface is shut down using ifconfig destroy. Adding a NULL
    assignment to packet duplicates what pcap_next() does.
    
    The reason we use pcap_next_ex() in this instance is because with
    pacp_next() when we receive a null pointer if there was an error
    or if no packets were read. With pcap_next_ex() we can differentiate
    between an error and legitimately no packets were received.
    
    PR:             270649, 273696
    Obtained from:  src 953efa5b200f
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    MFH:            2023Q3
---
 security/wpa_supplicant-devel/Makefile             |  2 +-
 .../patch-src_l2__packet_l2__packet__freebsd.c     | 28 +++++++++++++++++++---
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/security/wpa_supplicant-devel/Makefile b/security/wpa_supplicant-devel/Makefile
index d28ed3db5b82..ccc6c1b32cdd 100644
--- a/security/wpa_supplicant-devel/Makefile
+++ b/security/wpa_supplicant-devel/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	wpa_supplicant
 PORTVERSION=	${COMMIT_DATE}
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	security net
 PKGNAMESUFFIX=	-devel
 
diff --git a/security/wpa_supplicant-devel/files/patch-src_l2__packet_l2__packet__freebsd.c b/security/wpa_supplicant-devel/files/patch-src_l2__packet_l2__packet__freebsd.c
index 62365bdc9900..224ca67ee95f 100644
--- a/security/wpa_supplicant-devel/files/patch-src_l2__packet_l2__packet__freebsd.c
+++ b/security/wpa_supplicant-devel/files/patch-src_l2__packet_l2__packet__freebsd.c
@@ -1,5 +1,5 @@
 --- src/l2_packet/l2_packet_freebsd.c.orig	2023-09-05 10:38:47.000000000 -0700
-+++ src/l2_packet/l2_packet_freebsd.c	2023-09-11 22:06:24.154851000 -0700
++++ src/l2_packet/l2_packet_freebsd.c	2023-09-11 22:12:22.076149000 -0700
 @@ -8,7 +8,10 @@
   */
  
@@ -12,15 +12,37 @@
  #include <net/bpf.h>
  #endif /* __APPLE__ */
  #include <pcap.h>
-@@ -82,7 +85,10 @@
+@@ -76,24 +79,28 @@
+ {
+ 	struct l2_packet_data *l2 = eloop_ctx;
+ 	pcap_t *pcap = sock_ctx;
+-	struct pcap_pkthdr hdr;
++	struct pcap_pkthdr *hdr;
+ 	const u_char *packet;
+ 	struct l2_ethhdr *ethhdr;
  	unsigned char *buf;
  	size_t len;
  
 -	packet = pcap_next(pcap, &hdr);
 +	if (pcap_next_ex(pcap, &hdr, &packet) == -1) {
 +		wpa_printf(MSG_ERROR, "Error reading packet, has device disappeared?");
++		packet = NULL;
 +		eloop_terminate();
 +	}
  
- 	if (!l2->rx_callback || !packet || hdr.caplen < sizeof(*ethhdr))
+-	if (!l2->rx_callback || !packet || hdr.caplen < sizeof(*ethhdr))
++	if (!l2->rx_callback || !packet || hdr->caplen < sizeof(*ethhdr))
  		return;
+ 
+ 	ethhdr = (struct l2_ethhdr *) packet;
+ 	if (l2->l2_hdr) {
+ 		buf = (unsigned char *) ethhdr;
+-		len = hdr.caplen;
++		len = hdr->caplen;
+ 	} else {
+ 		buf = (unsigned char *) (ethhdr + 1);
+-		len = hdr.caplen - sizeof(*ethhdr);
++		len = hdr->caplen - sizeof(*ethhdr);
+ 	}
+ 	l2->rx_callback(l2->rx_callback_ctx, ethhdr->h_source, buf, len);
+ }