[network-manager-applet] libnm-gtk: fix use-after-free of 802.1x usernames/passwords

From: Dan Williams <dcbw src gnome org>
To: commits-list gnome org
Cc:
Subject: [network-manager-applet] libnm-gtk: fix use-after-free of 802.1x usernames/passwords
Date: Tue, 27 Aug 2013 21:36:25 +0000 (UTC)
commit eeb2430b933e938a0e2432689ed926f94367270b
Author: Dan Williams <dcbw redhat com>
Date:   Tue Aug 27 14:57:46 2013 -0500

    libnm-gtk: fix use-after-free of 802.1x usernames/passwords
    
    The EAPMethod objects must keep a reference to the WirelessSecurity
    objects that they use, otherwise the WS can get freed before the
    EAPMethod does and wireless_security_set_userpass() can get called
    on an already-freed WirelessSecurity.

 src/wireless-security/eap-method-leap.c   |   26 ++++++++++++++++++++++++--
 src/wireless-security/eap-method-simple.c |   26 ++++++++++++++++++++++++--
 2 files changed, 48 insertions(+), 4 deletions(-)
---
diff --git a/src/wireless-security/eap-method-leap.c b/src/wireless-security/eap-method-leap.c
index 281ff2b..5dd8e8c 100644
--- a/src/wireless-security/eap-method-leap.c
+++ b/src/wireless-security/eap-method-leap.c
@@ -139,6 +139,28 @@ widgets_unrealized (GtkWidget *widget, EAPMethodLEAP *method)
                                        gtk_toggle_button_get_active (method->show_password));
 }
 
+static void
+destroy (EAPMethod *parent)
+{
+       EAPMethodLEAP *method = (EAPMethodLEAP *) parent;
+       GtkWidget *widget;
+
+       widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_leap_notebook"));
+       g_assert (widget);
+
+       g_signal_handlers_disconnect_by_func (G_OBJECT (widget),
+                                             (GCallback) widgets_realized,
+                                             method);
+       g_signal_handlers_disconnect_by_func (G_OBJECT (widget),
+                                             (GCallback) widgets_unrealized,
+                                             method);
+       g_signal_handlers_disconnect_by_func (G_OBJECT (widget),
+                                             (GCallback) wireless_security_changed_cb,
+                                             method->ws_parent);
+
+       wireless_security_unref (method->ws_parent);
+}
+
 EAPMethodLEAP *
 eap_method_leap_new (WirelessSecurity *ws_parent,
                      NMConnection *connection,
@@ -153,7 +175,7 @@ eap_method_leap_new (WirelessSecurity *ws_parent,
                                  add_to_size_group,
                                  fill_connection,
                                  update_secrets,
-                                 NULL,
+                                 destroy,
                                  UIDIR "/eap-method-leap.ui",
                                  "eap_leap_notebook",
                                  "eap_leap_username_entry",
@@ -163,7 +185,7 @@ eap_method_leap_new (WirelessSecurity *ws_parent,
 
        method = (EAPMethodLEAP *) parent;
        method->new_connection = secrets_only ? FALSE : TRUE;
-       method->ws_parent = ws_parent;
+       method->ws_parent = wireless_security_ref (ws_parent);
 
        widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_leap_notebook"));
        g_assert (widget);
diff --git a/src/wireless-security/eap-method-simple.c b/src/wireless-security/eap-method-simple.c
index 02bff33..9218ecb 100644
--- a/src/wireless-security/eap-method-simple.c
+++ b/src/wireless-security/eap-method-simple.c
@@ -217,6 +217,28 @@ widgets_unrealized (GtkWidget *widget, EAPMethodSimple *method)
                                        gtk_toggle_button_get_active (method->show_password));
 }
 
+static void
+destroy (EAPMethod *parent)
+{
+       EAPMethodSimple *method = (EAPMethodSimple *) parent;
+       GtkWidget *widget;
+
+       widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_simple_notebook"));
+       g_assert (widget);
+
+       g_signal_handlers_disconnect_by_func (G_OBJECT (widget),
+                                             (GCallback) widgets_realized,
+                                             method);
+       g_signal_handlers_disconnect_by_func (G_OBJECT (widget),
+                                             (GCallback) widgets_unrealized,
+                                             method);
+       g_signal_handlers_disconnect_by_func (G_OBJECT (widget),
+                                             (GCallback) wireless_security_changed_cb,
+                                             method->ws_parent);
+
+       wireless_security_unref (method->ws_parent);
+}
+
 EAPMethodSimple *
 eap_method_simple_new (WirelessSecurity *ws_parent,
                        NMConnection *connection,
@@ -236,7 +258,7 @@ eap_method_simple_new (WirelessSecurity *ws_parent,
                                  add_to_size_group,
                                  fill_connection,
                                  update_secrets,
-                                 NULL,
+                                 destroy,
                                  UIDIR "/eap-method-simple.ui",
                                  "eap_simple_notebook",
                                  "eap_simple_username_entry",
@@ -248,7 +270,7 @@ eap_method_simple_new (WirelessSecurity *ws_parent,
        method->type = type;
        method->is_editor = is_editor;
        method->new_connection = secrets_only ? FALSE : TRUE;
-       method->ws_parent = ws_parent;
+       method->ws_parent = wireless_security_ref (ws_parent);
 
        widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_simple_notebook"));
        g_assert (widget);
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]