wireless: fix use-after-free bug
[project/netifd.git] / bridge.c
index d3b2867..4ef0d7e 100644 (file)
--- a/bridge.c
+++ b/bridge.c
@@ -1,3 +1,16 @@
+/*
+ * netifd - network interface daemon
+ * Copyright (C) 2012 Felix Fietkau <nbd@openwrt.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
 #include <string.h>
 #include <stdlib.h>
 #include <stdio.h>
@@ -13,10 +26,12 @@ enum {
        BRIDGE_ATTR_IFNAME,
        BRIDGE_ATTR_STP,
        BRIDGE_ATTR_FORWARD_DELAY,
+       BRIDGE_ATTR_PRIORITY,
        BRIDGE_ATTR_IGMP_SNOOP,
        BRIDGE_ATTR_AGEING_TIME,
        BRIDGE_ATTR_HELLO_TIME,
        BRIDGE_ATTR_MAX_AGE,
+       BRIDGE_ATTR_BRIDGE_EMPTY,
        __BRIDGE_ATTR_MAX
 };
 
@@ -24,17 +39,19 @@ static const struct blobmsg_policy bridge_attrs[__BRIDGE_ATTR_MAX] = {
        [BRIDGE_ATTR_IFNAME] = { "ifname", BLOBMSG_TYPE_ARRAY },
        [BRIDGE_ATTR_STP] = { "stp", BLOBMSG_TYPE_BOOL },
        [BRIDGE_ATTR_FORWARD_DELAY] = { "forward_delay", BLOBMSG_TYPE_INT32 },
+       [BRIDGE_ATTR_PRIORITY] = { "priority", BLOBMSG_TYPE_INT32 },
        [BRIDGE_ATTR_AGEING_TIME] = { "ageing_time", BLOBMSG_TYPE_INT32 },
        [BRIDGE_ATTR_HELLO_TIME] = { "hello_time", BLOBMSG_TYPE_INT32 },
        [BRIDGE_ATTR_MAX_AGE] = { "max_age", BLOBMSG_TYPE_INT32 },
        [BRIDGE_ATTR_IGMP_SNOOP] = { "igmp_snooping", BLOBMSG_TYPE_BOOL },
+       [BRIDGE_ATTR_BRIDGE_EMPTY] = { "bridge_empty", BLOBMSG_TYPE_BOOL },
 };
 
-static const union config_param_info bridge_attr_info[__BRIDGE_ATTR_MAX] = {
+static const struct uci_blob_param_info bridge_attr_info[__BRIDGE_ATTR_MAX] = {
        [BRIDGE_ATTR_IFNAME] = { .type = BLOBMSG_TYPE_STRING },
 };
 
-static const struct config_param_list bridge_attr_list = {
+static const struct uci_blob_param_list bridge_attr_list = {
        .n_params = __BRIDGE_ATTR_MAX,
        .params = bridge_attrs,
        .info = bridge_attr_info,
@@ -71,6 +88,7 @@ struct bridge_state {
        bool active;
        bool force_active;
 
+       struct bridge_member *primary_port;
        struct vlist_tree members;
        int n_present;
 };
@@ -83,6 +101,34 @@ struct bridge_member {
        char name[];
 };
 
+static void
+bridge_reset_primary(struct bridge_state *bst)
+{
+       struct bridge_member *bm;
+
+       if (!bst->primary_port &&
+           (bst->dev.settings.flags & DEV_OPT_MACADDR))
+               return;
+
+       bst->primary_port = NULL;
+       bst->dev.settings.flags &= ~DEV_OPT_MACADDR;
+       vlist_for_each_element(&bst->members, bm, node) {
+               uint8_t *macaddr;
+
+               if (!bm->present)
+                       continue;
+
+               bst->primary_port = bm;
+               if (bm->dev.dev->settings.flags & DEV_OPT_MACADDR)
+                       macaddr = bm->dev.dev->settings.macaddr;
+               else
+                       macaddr = bm->dev.dev->orig_settings.macaddr;
+               memcpy(bst->dev.settings.macaddr, macaddr, 6);
+               bst->dev.settings.flags |= DEV_OPT_MACADDR;
+               return;
+       }
+}
+
 static int
 bridge_disable_member(struct bridge_member *bm)
 {
@@ -132,17 +178,47 @@ bridge_remove_member(struct bridge_member *bm)
        if (!bm->present)
                return;
 
-       bm->present = false;
-       bm->bst->n_present--;
+       if (bm == bst->primary_port)
+               bridge_reset_primary(bst);
+
        if (bst->dev.active)
                bridge_disable_member(bm);
 
+       bm->present = false;
+       bm->bst->n_present--;
+
+       if (bst->config.bridge_empty)
+               return;
+
        bst->force_active = false;
        if (bst->n_present == 0)
                device_set_present(&bst->dev, false);
 }
 
 static void
+bridge_free_member(struct bridge_member *bm)
+{
+       struct device *dev = bm->dev.dev;
+
+       bridge_remove_member(bm);
+       device_remove_user(&bm->dev);
+
+       /*
+        * When reloading the config and moving a device from one bridge to
+        * another, the other bridge may have tried to claim this device
+        * before it was removed here.
+        * Ensure that claiming the device is retried by toggling its present
+        * state
+        */
+       if (dev->present) {
+               device_set_present(dev, false);
+               device_set_present(dev, true);
+       }
+
+       free(bm);
+}
+
+static void
 bridge_member_cb(struct device_user *dev, enum device_event ev)
 {
        struct bridge_member *bm = container_of(dev, struct bridge_member, dev);
@@ -214,6 +290,7 @@ bridge_set_up(struct bridge_state *bst)
                return -ENOENT;
        }
 
+       bridge_reset_primary(bst);
        ret = bst->set_state(&bst->dev, true);
        if (ret < 0)
                bridge_set_down(bst);
@@ -241,6 +318,9 @@ bridge_create_member(struct bridge_state *bst, struct device *dev, bool hotplug)
        struct bridge_member *bm;
 
        bm = calloc(1, sizeof(*bm) + strlen(dev->ifname) + 1);
+       if (!bm)
+               return NULL;
+
        bm->bst = bst;
        bm->dev.cb = bridge_member_cb;
        bm->dev.hotplug = hotplug;
@@ -276,9 +356,7 @@ bridge_member_update(struct vlist_tree *tree, struct vlist_node *node_new,
 
        if (node_old) {
                bm = container_of(node_old, struct bridge_member, node);
-               bridge_remove_member(bm);
-               device_remove_user(&bm->dev);
-               free(bm);
+               bridge_free_member(bm);
        }
 }
 
@@ -342,7 +420,6 @@ bridge_free(struct device *dev)
 {
        struct bridge_state *bst;
 
-       device_cleanup(dev);
        bst = container_of(dev, struct bridge_state, dev);
        vlist_flush_all(&bst->members);
        free(bst);
@@ -375,12 +452,16 @@ bridge_config_init(struct device *dev)
 
        bst = container_of(dev, struct bridge_state, dev);
 
-       if (!bst->ifnames)
-               return;
+       if (bst->config.bridge_empty) {
+               bst->force_active = true;
+               device_set_present(&bst->dev, true);
+       }
 
        vlist_update(&bst->members);
-       blobmsg_for_each_attr(cur, bst->ifnames, rem) {
-               bridge_add_member(bst, blobmsg_data(cur));
+       if (bst->ifnames) {
+               blobmsg_for_each_attr(cur, bst->ifnames, rem) {
+                       bridge_add_member(bst, blobmsg_data(cur));
+               }
        }
        vlist_flush(&bst->members);
 }
@@ -392,9 +473,11 @@ bridge_apply_settings(struct bridge_state *bst, struct blob_attr **tb)
        struct blob_attr *cur;
 
        /* defaults */
-       cfg->stp = true;
-       cfg->forward_delay = 1;
-       cfg->igmp_snoop = true;
+       cfg->stp = false;
+       cfg->forward_delay = 2;
+       cfg->igmp_snoop = false;
+       cfg->bridge_empty = false;
+       cfg->priority = 0x7FFF;
 
        if ((cur = tb[BRIDGE_ATTR_STP]))
                cfg->stp = blobmsg_get_bool(cur);
@@ -402,6 +485,9 @@ bridge_apply_settings(struct bridge_state *bst, struct blob_attr **tb)
        if ((cur = tb[BRIDGE_ATTR_FORWARD_DELAY]))
                cfg->forward_delay = blobmsg_get_u32(cur);
 
+       if ((cur = tb[BRIDGE_ATTR_PRIORITY]))
+               cfg->priority = blobmsg_get_u32(cur);
+
        if ((cur = tb[BRIDGE_ATTR_IGMP_SNOOP]))
                cfg->igmp_snoop = blobmsg_get_bool(cur);
 
@@ -419,6 +505,9 @@ bridge_apply_settings(struct bridge_state *bst, struct blob_attr **tb)
                cfg->max_age = blobmsg_get_u32(cur);
                cfg->flags |= BRIDGE_OPT_MAX_AGE;
        }
+
+       if ((cur = tb[BRIDGE_ATTR_BRIDGE_EMPTY]))
+               cfg->bridge_empty = blobmsg_get_bool(cur);
 }
 
 enum dev_change_type
@@ -452,7 +541,7 @@ bridge_reload(struct device *dev, struct blob_attr *attr)
                        blob_data(bst->config_data), blob_len(bst->config_data));
 
                diff = 0;
-               config_diff(tb_dev, otb_dev, &device_attr_list, &diff);
+               uci_blob_diff(tb_dev, otb_dev, &device_attr_list, &diff);
                if (diff & ~(1 << DEV_ATTR_IFNAME))
                    ret = DEV_CONFIG_RESTART;
 
@@ -460,7 +549,7 @@ bridge_reload(struct device *dev, struct blob_attr *attr)
                        blob_data(bst->config_data), blob_len(bst->config_data));
 
                diff = 0;
-               config_diff(tb_br, otb_br, &bridge_attr_list, &diff);
+               uci_blob_diff(tb_br, otb_br, &bridge_attr_list, &diff);
                if (diff & ~(1 << BRIDGE_ATTR_IFNAME))
                    ret = DEV_CONFIG_RESTART;
 
@@ -496,5 +585,3 @@ bridge_create(const char *name, struct blob_attr *attr)
 
        return dev;
 }
-
-