diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2023-09-12 05:17:05 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2023-09-15 14:07:43 +0000 |
| commit | 0b110f1e3e172f3ec29a1ff548ef30adfaa82277 (patch) | |
| tree | 824eddb27b24e81fb3b8d3d5e09853634d90725d | |
| parent | 45703ac1172cc56d8f2b3bebf57309c87b7ee85f (diff) | |
| download | ports-0b110f1e3e172f3ec29a1ff548ef30adfaa82277.tar.gz ports-0b110f1e3e172f3ec29a1ff548ef30adfaa82277.zip | |
security/wpa_supplicant-devel: Fix uninitialized packet pointer on error
The packet pointer (called packet) will remain uninitialized when
pcap_next_ex() returns an error. This occurs when the wlan
interface is shut down using ifconfig destroy. Adding a NULL
assignment to packet duplicates what pcap_next() does.
The reason we use pcap_next_ex() in this instance is because with
pacp_next() when we receive a null pointer if there was an error
or if no packets were read. With pcap_next_ex() we can differentiate
between an error and legitimately no packets were received.
PR: 270649, 273696
Obtained from: src 953efa5b200f
Reported by: Robert Morris <rtm@lcs.mit.edu>
(cherry picked from commit a872b8a14f51721830232b127cc6ac27663a903d)
| -rw-r--r-- | security/wpa_supplicant-devel/Makefile | 2 | ||||
| -rw-r--r-- | security/wpa_supplicant-devel/files/patch-src_l2__packet_l2__packet__freebsd.c | 28 |
2 files changed, 26 insertions, 4 deletions
diff --git a/security/wpa_supplicant-devel/Makefile b/security/wpa_supplicant-devel/Makefile index d28ed3db5b82..ccc6c1b32cdd 100644 --- a/security/wpa_supplicant-devel/Makefile +++ b/security/wpa_supplicant-devel/Makefile @@ -1,6 +1,6 @@ PORTNAME= wpa_supplicant PORTVERSION= ${COMMIT_DATE} -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security net PKGNAMESUFFIX= -devel diff --git a/security/wpa_supplicant-devel/files/patch-src_l2__packet_l2__packet__freebsd.c b/security/wpa_supplicant-devel/files/patch-src_l2__packet_l2__packet__freebsd.c index 62365bdc9900..224ca67ee95f 100644 --- a/security/wpa_supplicant-devel/files/patch-src_l2__packet_l2__packet__freebsd.c +++ b/security/wpa_supplicant-devel/files/patch-src_l2__packet_l2__packet__freebsd.c @@ -1,5 +1,5 @@ --- src/l2_packet/l2_packet_freebsd.c.orig 2023-09-05 10:38:47.000000000 -0700 -+++ src/l2_packet/l2_packet_freebsd.c 2023-09-11 22:06:24.154851000 -0700 ++++ src/l2_packet/l2_packet_freebsd.c 2023-09-11 22:12:22.076149000 -0700 @@ -8,7 +8,10 @@ */ @@ -12,15 +12,37 @@ #include <net/bpf.h> #endif /* __APPLE__ */ #include <pcap.h> -@@ -82,7 +85,10 @@ +@@ -76,24 +79,28 @@ + { + struct l2_packet_data *l2 = eloop_ctx; + pcap_t *pcap = sock_ctx; +- struct pcap_pkthdr hdr; ++ struct pcap_pkthdr *hdr; + const u_char *packet; + struct l2_ethhdr *ethhdr; unsigned char *buf; size_t len; - packet = pcap_next(pcap, &hdr); + if (pcap_next_ex(pcap, &hdr, &packet) == -1) { + wpa_printf(MSG_ERROR, "Error reading packet, has device disappeared?"); ++ packet = NULL; + eloop_terminate(); + } - if (!l2->rx_callback || !packet || hdr.caplen < sizeof(*ethhdr)) +- if (!l2->rx_callback || !packet || hdr.caplen < sizeof(*ethhdr)) ++ if (!l2->rx_callback || !packet || hdr->caplen < sizeof(*ethhdr)) return; + + ethhdr = (struct l2_ethhdr *) packet; + if (l2->l2_hdr) { + buf = (unsigned char *) ethhdr; +- len = hdr.caplen; ++ len = hdr->caplen; + } else { + buf = (unsigned char *) (ethhdr + 1); +- len = hdr.caplen - sizeof(*ethhdr); ++ len = hdr->caplen - sizeof(*ethhdr); + } + l2->rx_callback(l2->rx_callback_ctx, ethhdr->h_source, buf, len); + } |