mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2025-01-18 10:54:03 -05:00
wpabuf: Add WPA_TRACE code to validate correct freeing of wpabuf
Use an extra header to move the returned pointer to break os_free() or free() of the returned value and verify that the correct magic is present when freeing or resizing the wpabuf. Show backtrace on invalid wpabuf use.
This commit is contained in:
parent
859db534bf
commit
eeb04821ad
@ -15,13 +15,37 @@
|
|||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
|
|
||||||
#include "common.h"
|
#include "common.h"
|
||||||
|
#include "trace.h"
|
||||||
#include "wpabuf.h"
|
#include "wpabuf.h"
|
||||||
|
|
||||||
|
#ifdef WPA_TRACE
|
||||||
|
#define WPABUF_MAGIC 0x51a974e3
|
||||||
|
|
||||||
|
struct wpabuf_trace {
|
||||||
|
unsigned int magic;
|
||||||
|
};
|
||||||
|
|
||||||
|
struct wpabuf_trace * wpabuf_get_trace(const struct wpabuf *buf)
|
||||||
|
{
|
||||||
|
return (struct wpabuf_trace *)
|
||||||
|
((const u8 *) buf - sizeof(struct wpabuf_trace));
|
||||||
|
}
|
||||||
|
#endif /* WPA_TRACE */
|
||||||
|
|
||||||
|
|
||||||
static void wpabuf_overflow(const struct wpabuf *buf, size_t len)
|
static void wpabuf_overflow(const struct wpabuf *buf, size_t len)
|
||||||
{
|
{
|
||||||
|
#ifdef WPA_TRACE
|
||||||
|
struct wpabuf_trace *trace = wpabuf_get_trace(buf);
|
||||||
|
if (trace->magic != WPABUF_MAGIC) {
|
||||||
|
wpa_printf(MSG_ERROR, "wpabuf: invalid magic %x",
|
||||||
|
trace->magic);
|
||||||
|
}
|
||||||
|
#endif /* WPA_TRACE */
|
||||||
wpa_printf(MSG_ERROR, "wpabuf %p (size=%lu used=%lu) overflow len=%lu",
|
wpa_printf(MSG_ERROR, "wpabuf %p (size=%lu used=%lu) overflow len=%lu",
|
||||||
buf, (unsigned long) buf->size, (unsigned long) buf->used,
|
buf, (unsigned long) buf->size, (unsigned long) buf->used,
|
||||||
(unsigned long) len);
|
(unsigned long) len);
|
||||||
|
wpa_trace_show("wpabuf overflow");
|
||||||
abort();
|
abort();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -29,10 +53,25 @@ static void wpabuf_overflow(const struct wpabuf *buf, size_t len)
|
|||||||
int wpabuf_resize(struct wpabuf **_buf, size_t add_len)
|
int wpabuf_resize(struct wpabuf **_buf, size_t add_len)
|
||||||
{
|
{
|
||||||
struct wpabuf *buf = *_buf;
|
struct wpabuf *buf = *_buf;
|
||||||
|
#ifdef WPA_TRACE
|
||||||
|
struct wpabuf_trace *trace;
|
||||||
|
#endif /* WPA_TRACE */
|
||||||
|
|
||||||
if (buf == NULL) {
|
if (buf == NULL) {
|
||||||
*_buf = wpabuf_alloc(add_len);
|
*_buf = wpabuf_alloc(add_len);
|
||||||
return *_buf == NULL ? -1 : 0;
|
return *_buf == NULL ? -1 : 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef WPA_TRACE
|
||||||
|
trace = wpabuf_get_trace(buf);
|
||||||
|
if (trace->magic != WPABUF_MAGIC) {
|
||||||
|
wpa_printf(MSG_ERROR, "wpabuf: invalid magic %x",
|
||||||
|
trace->magic);
|
||||||
|
wpa_trace_show("wpabuf_resize invalid magic");
|
||||||
|
abort();
|
||||||
|
}
|
||||||
|
#endif /* WPA_TRACE */
|
||||||
|
|
||||||
if (buf->used + add_len > buf->size) {
|
if (buf->used + add_len > buf->size) {
|
||||||
unsigned char *nbuf;
|
unsigned char *nbuf;
|
||||||
if (buf->ext_data) {
|
if (buf->ext_data) {
|
||||||
@ -42,6 +81,18 @@ int wpabuf_resize(struct wpabuf **_buf, size_t add_len)
|
|||||||
os_memset(nbuf + buf->used, 0, add_len);
|
os_memset(nbuf + buf->used, 0, add_len);
|
||||||
buf->ext_data = nbuf;
|
buf->ext_data = nbuf;
|
||||||
} else {
|
} else {
|
||||||
|
#ifdef WPA_TRACE
|
||||||
|
nbuf = os_realloc(trace, sizeof(struct wpabuf_trace) +
|
||||||
|
sizeof(struct wpabuf) +
|
||||||
|
buf->used + add_len);
|
||||||
|
if (nbuf == NULL)
|
||||||
|
return -1;
|
||||||
|
trace = (struct wpabuf_trace *) nbuf;
|
||||||
|
buf = (struct wpabuf *) (trace + 1);
|
||||||
|
os_memset(nbuf + sizeof(struct wpabuf_trace) +
|
||||||
|
sizeof(struct wpabuf) + buf->used, 0,
|
||||||
|
add_len);
|
||||||
|
#else /* WPA_TRACE */
|
||||||
nbuf = os_realloc(buf, sizeof(struct wpabuf) +
|
nbuf = os_realloc(buf, sizeof(struct wpabuf) +
|
||||||
buf->used + add_len);
|
buf->used + add_len);
|
||||||
if (nbuf == NULL)
|
if (nbuf == NULL)
|
||||||
@ -49,6 +100,7 @@ int wpabuf_resize(struct wpabuf **_buf, size_t add_len)
|
|||||||
buf = (struct wpabuf *) nbuf;
|
buf = (struct wpabuf *) nbuf;
|
||||||
os_memset(nbuf + sizeof(struct wpabuf) + buf->used, 0,
|
os_memset(nbuf + sizeof(struct wpabuf) + buf->used, 0,
|
||||||
add_len);
|
add_len);
|
||||||
|
#endif /* WPA_TRACE */
|
||||||
*_buf = buf;
|
*_buf = buf;
|
||||||
}
|
}
|
||||||
buf->size = buf->used + add_len;
|
buf->size = buf->used + add_len;
|
||||||
@ -65,9 +117,20 @@ int wpabuf_resize(struct wpabuf **_buf, size_t add_len)
|
|||||||
*/
|
*/
|
||||||
struct wpabuf * wpabuf_alloc(size_t len)
|
struct wpabuf * wpabuf_alloc(size_t len)
|
||||||
{
|
{
|
||||||
|
#ifdef WPA_TRACE
|
||||||
|
struct wpabuf_trace *trace = os_zalloc(sizeof(struct wpabuf_trace) +
|
||||||
|
sizeof(struct wpabuf) + len);
|
||||||
|
struct wpabuf *buf;
|
||||||
|
if (trace == NULL)
|
||||||
|
return NULL;
|
||||||
|
trace->magic = WPABUF_MAGIC;
|
||||||
|
buf = (struct wpabuf *) (trace + 1);
|
||||||
|
#else /* WPA_TRACE */
|
||||||
struct wpabuf *buf = os_zalloc(sizeof(struct wpabuf) + len);
|
struct wpabuf *buf = os_zalloc(sizeof(struct wpabuf) + len);
|
||||||
if (buf == NULL)
|
if (buf == NULL)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
#endif /* WPA_TRACE */
|
||||||
|
|
||||||
buf->size = len;
|
buf->size = len;
|
||||||
return buf;
|
return buf;
|
||||||
}
|
}
|
||||||
@ -75,9 +138,19 @@ struct wpabuf * wpabuf_alloc(size_t len)
|
|||||||
|
|
||||||
struct wpabuf * wpabuf_alloc_ext_data(u8 *data, size_t len)
|
struct wpabuf * wpabuf_alloc_ext_data(u8 *data, size_t len)
|
||||||
{
|
{
|
||||||
|
#ifdef WPA_TRACE
|
||||||
|
struct wpabuf_trace *trace = os_zalloc(sizeof(struct wpabuf_trace) +
|
||||||
|
sizeof(struct wpabuf));
|
||||||
|
struct wpabuf *buf;
|
||||||
|
if (trace == NULL)
|
||||||
|
return NULL;
|
||||||
|
trace->magic = WPABUF_MAGIC;
|
||||||
|
buf = (struct wpabuf *) (trace + 1);
|
||||||
|
#else /* WPA_TRACE */
|
||||||
struct wpabuf *buf = os_zalloc(sizeof(struct wpabuf));
|
struct wpabuf *buf = os_zalloc(sizeof(struct wpabuf));
|
||||||
if (buf == NULL)
|
if (buf == NULL)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
#endif /* WPA_TRACE */
|
||||||
|
|
||||||
buf->size = len;
|
buf->size = len;
|
||||||
buf->used = len;
|
buf->used = len;
|
||||||
@ -111,10 +184,25 @@ struct wpabuf * wpabuf_dup(const struct wpabuf *src)
|
|||||||
*/
|
*/
|
||||||
void wpabuf_free(struct wpabuf *buf)
|
void wpabuf_free(struct wpabuf *buf)
|
||||||
{
|
{
|
||||||
|
#ifdef WPA_TRACE
|
||||||
|
struct wpabuf_trace *trace;
|
||||||
|
if (buf == NULL)
|
||||||
|
return;
|
||||||
|
trace = wpabuf_get_trace(buf);
|
||||||
|
if (trace->magic != WPABUF_MAGIC) {
|
||||||
|
wpa_printf(MSG_ERROR, "wpabuf_free: invalid magic %x",
|
||||||
|
trace->magic);
|
||||||
|
wpa_trace_show("wpabuf_free magic mismatch");
|
||||||
|
abort();
|
||||||
|
}
|
||||||
|
os_free(buf->ext_data);
|
||||||
|
os_free(trace);
|
||||||
|
#else /* WPA_TRACE */
|
||||||
if (buf == NULL)
|
if (buf == NULL)
|
||||||
return;
|
return;
|
||||||
os_free(buf->ext_data);
|
os_free(buf->ext_data);
|
||||||
os_free(buf);
|
os_free(buf);
|
||||||
|
#endif /* WPA_TRACE */
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user