wireless: fix use-after-free bug
[project/netifd.git] / bridge.c
index 1725162..4ef0d7e 100644 (file)
--- a/bridge.c
+++ b/bridge.c
@@ -26,10 +26,12 @@ enum {
        BRIDGE_ATTR_IFNAME,
        BRIDGE_ATTR_STP,
        BRIDGE_ATTR_FORWARD_DELAY,
        BRIDGE_ATTR_IFNAME,
        BRIDGE_ATTR_STP,
        BRIDGE_ATTR_FORWARD_DELAY,
+       BRIDGE_ATTR_PRIORITY,
        BRIDGE_ATTR_IGMP_SNOOP,
        BRIDGE_ATTR_AGEING_TIME,
        BRIDGE_ATTR_HELLO_TIME,
        BRIDGE_ATTR_MAX_AGE,
        BRIDGE_ATTR_IGMP_SNOOP,
        BRIDGE_ATTR_AGEING_TIME,
        BRIDGE_ATTR_HELLO_TIME,
        BRIDGE_ATTR_MAX_AGE,
+       BRIDGE_ATTR_BRIDGE_EMPTY,
        __BRIDGE_ATTR_MAX
 };
 
        __BRIDGE_ATTR_MAX
 };
 
@@ -37,17 +39,19 @@ static const struct blobmsg_policy bridge_attrs[__BRIDGE_ATTR_MAX] = {
        [BRIDGE_ATTR_IFNAME] = { "ifname", BLOBMSG_TYPE_ARRAY },
        [BRIDGE_ATTR_STP] = { "stp", BLOBMSG_TYPE_BOOL },
        [BRIDGE_ATTR_FORWARD_DELAY] = { "forward_delay", BLOBMSG_TYPE_INT32 },
        [BRIDGE_ATTR_IFNAME] = { "ifname", BLOBMSG_TYPE_ARRAY },
        [BRIDGE_ATTR_STP] = { "stp", BLOBMSG_TYPE_BOOL },
        [BRIDGE_ATTR_FORWARD_DELAY] = { "forward_delay", BLOBMSG_TYPE_INT32 },
+       [BRIDGE_ATTR_PRIORITY] = { "priority", BLOBMSG_TYPE_INT32 },
        [BRIDGE_ATTR_AGEING_TIME] = { "ageing_time", BLOBMSG_TYPE_INT32 },
        [BRIDGE_ATTR_HELLO_TIME] = { "hello_time", BLOBMSG_TYPE_INT32 },
        [BRIDGE_ATTR_MAX_AGE] = { "max_age", BLOBMSG_TYPE_INT32 },
        [BRIDGE_ATTR_IGMP_SNOOP] = { "igmp_snooping", BLOBMSG_TYPE_BOOL },
        [BRIDGE_ATTR_AGEING_TIME] = { "ageing_time", BLOBMSG_TYPE_INT32 },
        [BRIDGE_ATTR_HELLO_TIME] = { "hello_time", BLOBMSG_TYPE_INT32 },
        [BRIDGE_ATTR_MAX_AGE] = { "max_age", BLOBMSG_TYPE_INT32 },
        [BRIDGE_ATTR_IGMP_SNOOP] = { "igmp_snooping", BLOBMSG_TYPE_BOOL },
+       [BRIDGE_ATTR_BRIDGE_EMPTY] = { "bridge_empty", BLOBMSG_TYPE_BOOL },
 };
 
 };
 
-static const union config_param_info bridge_attr_info[__BRIDGE_ATTR_MAX] = {
+static const struct uci_blob_param_info bridge_attr_info[__BRIDGE_ATTR_MAX] = {
        [BRIDGE_ATTR_IFNAME] = { .type = BLOBMSG_TYPE_STRING },
 };
 
        [BRIDGE_ATTR_IFNAME] = { .type = BLOBMSG_TYPE_STRING },
 };
 
-static const struct config_param_list bridge_attr_list = {
+static const struct uci_blob_param_list bridge_attr_list = {
        .n_params = __BRIDGE_ATTR_MAX,
        .params = bridge_attrs,
        .info = bridge_attr_info,
        .n_params = __BRIDGE_ATTR_MAX,
        .params = bridge_attrs,
        .info = bridge_attr_info,
@@ -102,13 +106,24 @@ bridge_reset_primary(struct bridge_state *bst)
 {
        struct bridge_member *bm;
 
 {
        struct bridge_member *bm;
 
+       if (!bst->primary_port &&
+           (bst->dev.settings.flags & DEV_OPT_MACADDR))
+               return;
+
        bst->primary_port = NULL;
        bst->primary_port = NULL;
+       bst->dev.settings.flags &= ~DEV_OPT_MACADDR;
        vlist_for_each_element(&bst->members, bm, node) {
        vlist_for_each_element(&bst->members, bm, node) {
+               uint8_t *macaddr;
+
                if (!bm->present)
                        continue;
 
                bst->primary_port = bm;
                if (!bm->present)
                        continue;
 
                bst->primary_port = bm;
-               memcpy(bst->dev.settings.macaddr, bm->dev.dev->settings.macaddr, 6);
+               if (bm->dev.dev->settings.flags & DEV_OPT_MACADDR)
+                       macaddr = bm->dev.dev->settings.macaddr;
+               else
+                       macaddr = bm->dev.dev->orig_settings.macaddr;
+               memcpy(bst->dev.settings.macaddr, macaddr, 6);
                bst->dev.settings.flags |= DEV_OPT_MACADDR;
                return;
        }
                bst->dev.settings.flags |= DEV_OPT_MACADDR;
                return;
        }
@@ -163,7 +178,7 @@ bridge_remove_member(struct bridge_member *bm)
        if (!bm->present)
                return;
 
        if (!bm->present)
                return;
 
-       if (bm == bst->primary_port);
+       if (bm == bst->primary_port)
                bridge_reset_primary(bst);
 
        if (bst->dev.active)
                bridge_reset_primary(bst);
 
        if (bst->dev.active)
@@ -172,12 +187,38 @@ bridge_remove_member(struct bridge_member *bm)
        bm->present = false;
        bm->bst->n_present--;
 
        bm->present = false;
        bm->bst->n_present--;
 
+       if (bst->config.bridge_empty)
+               return;
+
        bst->force_active = false;
        if (bst->n_present == 0)
                device_set_present(&bst->dev, false);
 }
 
 static void
        bst->force_active = false;
        if (bst->n_present == 0)
                device_set_present(&bst->dev, false);
 }
 
 static void
+bridge_free_member(struct bridge_member *bm)
+{
+       struct device *dev = bm->dev.dev;
+
+       bridge_remove_member(bm);
+       device_remove_user(&bm->dev);
+
+       /*
+        * When reloading the config and moving a device from one bridge to
+        * another, the other bridge may have tried to claim this device
+        * before it was removed here.
+        * Ensure that claiming the device is retried by toggling its present
+        * state
+        */
+       if (dev->present) {
+               device_set_present(dev, false);
+               device_set_present(dev, true);
+       }
+
+       free(bm);
+}
+
+static void
 bridge_member_cb(struct device_user *dev, enum device_event ev)
 {
        struct bridge_member *bm = container_of(dev, struct bridge_member, dev);
 bridge_member_cb(struct device_user *dev, enum device_event ev)
 {
        struct bridge_member *bm = container_of(dev, struct bridge_member, dev);
@@ -277,6 +318,9 @@ bridge_create_member(struct bridge_state *bst, struct device *dev, bool hotplug)
        struct bridge_member *bm;
 
        bm = calloc(1, sizeof(*bm) + strlen(dev->ifname) + 1);
        struct bridge_member *bm;
 
        bm = calloc(1, sizeof(*bm) + strlen(dev->ifname) + 1);
+       if (!bm)
+               return NULL;
+
        bm->bst = bst;
        bm->dev.cb = bridge_member_cb;
        bm->dev.hotplug = hotplug;
        bm->bst = bst;
        bm->dev.cb = bridge_member_cb;
        bm->dev.hotplug = hotplug;
@@ -312,9 +356,7 @@ bridge_member_update(struct vlist_tree *tree, struct vlist_node *node_new,
 
        if (node_old) {
                bm = container_of(node_old, struct bridge_member, node);
 
        if (node_old) {
                bm = container_of(node_old, struct bridge_member, node);
-               bridge_remove_member(bm);
-               device_remove_user(&bm->dev);
-               free(bm);
+               bridge_free_member(bm);
        }
 }
 
        }
 }
 
@@ -410,12 +452,16 @@ bridge_config_init(struct device *dev)
 
        bst = container_of(dev, struct bridge_state, dev);
 
 
        bst = container_of(dev, struct bridge_state, dev);
 
-       if (!bst->ifnames)
-               return;
+       if (bst->config.bridge_empty) {
+               bst->force_active = true;
+               device_set_present(&bst->dev, true);
+       }
 
        vlist_update(&bst->members);
 
        vlist_update(&bst->members);
-       blobmsg_for_each_attr(cur, bst->ifnames, rem) {
-               bridge_add_member(bst, blobmsg_data(cur));
+       if (bst->ifnames) {
+               blobmsg_for_each_attr(cur, bst->ifnames, rem) {
+                       bridge_add_member(bst, blobmsg_data(cur));
+               }
        }
        vlist_flush(&bst->members);
 }
        }
        vlist_flush(&bst->members);
 }
@@ -429,7 +475,9 @@ bridge_apply_settings(struct bridge_state *bst, struct blob_attr **tb)
        /* defaults */
        cfg->stp = false;
        cfg->forward_delay = 2;
        /* defaults */
        cfg->stp = false;
        cfg->forward_delay = 2;
-       cfg->igmp_snoop = true;
+       cfg->igmp_snoop = false;
+       cfg->bridge_empty = false;
+       cfg->priority = 0x7FFF;
 
        if ((cur = tb[BRIDGE_ATTR_STP]))
                cfg->stp = blobmsg_get_bool(cur);
 
        if ((cur = tb[BRIDGE_ATTR_STP]))
                cfg->stp = blobmsg_get_bool(cur);
@@ -437,6 +485,9 @@ bridge_apply_settings(struct bridge_state *bst, struct blob_attr **tb)
        if ((cur = tb[BRIDGE_ATTR_FORWARD_DELAY]))
                cfg->forward_delay = blobmsg_get_u32(cur);
 
        if ((cur = tb[BRIDGE_ATTR_FORWARD_DELAY]))
                cfg->forward_delay = blobmsg_get_u32(cur);
 
+       if ((cur = tb[BRIDGE_ATTR_PRIORITY]))
+               cfg->priority = blobmsg_get_u32(cur);
+
        if ((cur = tb[BRIDGE_ATTR_IGMP_SNOOP]))
                cfg->igmp_snoop = blobmsg_get_bool(cur);
 
        if ((cur = tb[BRIDGE_ATTR_IGMP_SNOOP]))
                cfg->igmp_snoop = blobmsg_get_bool(cur);
 
@@ -454,6 +505,9 @@ bridge_apply_settings(struct bridge_state *bst, struct blob_attr **tb)
                cfg->max_age = blobmsg_get_u32(cur);
                cfg->flags |= BRIDGE_OPT_MAX_AGE;
        }
                cfg->max_age = blobmsg_get_u32(cur);
                cfg->flags |= BRIDGE_OPT_MAX_AGE;
        }
+
+       if ((cur = tb[BRIDGE_ATTR_BRIDGE_EMPTY]))
+               cfg->bridge_empty = blobmsg_get_bool(cur);
 }
 
 enum dev_change_type
 }
 
 enum dev_change_type
@@ -487,7 +541,7 @@ bridge_reload(struct device *dev, struct blob_attr *attr)
                        blob_data(bst->config_data), blob_len(bst->config_data));
 
                diff = 0;
                        blob_data(bst->config_data), blob_len(bst->config_data));
 
                diff = 0;
-               config_diff(tb_dev, otb_dev, &device_attr_list, &diff);
+               uci_blob_diff(tb_dev, otb_dev, &device_attr_list, &diff);
                if (diff & ~(1 << DEV_ATTR_IFNAME))
                    ret = DEV_CONFIG_RESTART;
 
                if (diff & ~(1 << DEV_ATTR_IFNAME))
                    ret = DEV_CONFIG_RESTART;
 
@@ -495,7 +549,7 @@ bridge_reload(struct device *dev, struct blob_attr *attr)
                        blob_data(bst->config_data), blob_len(bst->config_data));
 
                diff = 0;
                        blob_data(bst->config_data), blob_len(bst->config_data));
 
                diff = 0;
-               config_diff(tb_br, otb_br, &bridge_attr_list, &diff);
+               uci_blob_diff(tb_br, otb_br, &bridge_attr_list, &diff);
                if (diff & ~(1 << BRIDGE_ATTR_IFNAME))
                    ret = DEV_CONFIG_RESTART;
 
                if (diff & ~(1 << BRIDGE_ATTR_IFNAME))
                    ret = DEV_CONFIG_RESTART;
 
@@ -531,5 +585,3 @@ bridge_create(const char *name, struct blob_attr *attr)
 
        return dev;
 }
 
        return dev;
 }
-
-