dbus: Fix memory leak in case dbus provides tlv in P2P UPnP SD request

Using D-Bus it is possible to trigger a valid UPnP SD request where
"tlv" is specified: in this case "tlv" is allocated, and then not used
nor freed. Valgrind complains as follows:

 72 bytes in 2 blocks are definitely lost in loss record 46 of 68
    at 0x484C214: calloc (vg_replace_malloc.c:1675)
    by 0x41C673: wpabuf_alloc (wpabuf.c:124)
    by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
    by 0x54F8B5: wpas_dbus_handler_p2p_service_sd_req (dbus_new_handlers_p2p.c:2928)
    by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
    by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
    by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
    by 0x5495DF: dispatch_data (dbus_common.c:37)
    by 0x5495DF: process_watch (dbus_common.c:73)
    by 0x5495DF: process_watch_read (dbus_common.c:89)
    by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
    by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
    by 0x41FA46: eloop_run (eloop.c:1233)
    by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074)
    by 0x40DB06: main (main.c:393)

Fix it ensuring that "tlv" is freed, both in the error and non-error
path of wpas_dbus_handler_p2p_service_sd_req(). Also, add a test case in
test_dbus.py to verify correct behavior.

Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
This commit is contained in:
Davide Caratti 2024-05-30 10:46:32 +02:00 committed by Jouni Malinen
parent 3b4f127084
commit 0c2d8417c6
2 changed files with 11 additions and 8 deletions

View file

@ -3501,9 +3501,14 @@ def test_dbus_p2p_service_discovery(dev, apdev):
if "InvalidArgs" not in str(e): if "InvalidArgs" not in str(e):
raise Exception("Unexpected error message for invalid AddService(): " + str(e)) raise Exception("Unexpected error message for invalid AddService(): " + str(e))
args = {'service_type': 'upnp', tests= [{'service_type': 'upnp',
'version': 0x10, 'version': 0x10,
'service': 'ssdp:foo'} 'service': 'ssdp:foo'},
{'service_type': 'upnp',
'version': 0x10,
'service': 'ssdp:bar',
'tlv': dbus.ByteArray(b"\x02\x00\x00\x01")}]
for args in tests:
ref = p2p.ServiceDiscoveryRequest(args) ref = p2p.ServiceDiscoveryRequest(args)
p2p.ServiceDiscoveryCancelRequest(ref) p2p.ServiceDiscoveryCancelRequest(ref)

View file

@ -2952,7 +2952,6 @@ DBusMessage * wpas_dbus_handler_p2p_service_sd_req(
if (tlv == NULL) if (tlv == NULL)
goto error; goto error;
ref = wpas_p2p_sd_request(wpa_s, addr, tlv); ref = wpas_p2p_sd_request(wpa_s, addr, tlv);
wpabuf_free(tlv);
} }
if (ref != 0) { if (ref != 0) {
@ -2964,14 +2963,13 @@ DBusMessage * wpas_dbus_handler_p2p_service_sd_req(
message, "Unable to send SD request"); message, "Unable to send SD request");
} }
out: out:
wpabuf_free(tlv);
os_free(service); os_free(service);
os_free(peer_object_path); os_free(peer_object_path);
return reply; return reply;
error_clear: error_clear:
wpa_dbus_dict_entry_clear(&entry); wpa_dbus_dict_entry_clear(&entry);
error: error:
if (tlv)
wpabuf_free(tlv);
reply = wpas_dbus_error_invalid_args(message, NULL); reply = wpas_dbus_error_invalid_args(message, NULL);
goto out; goto out;
} }