projects / project / netifd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
proto-shell: fix potential use-after-free
[project/netifd.git] / proto-shell.c
1 #define _GNU_SOURCE
2
3 #include <string.h>
4 #include <stdlib.h>
5 #include <stdio.h>
6 #include <glob.h>
7 #include <unistd.h>
8 #include <fcntl.h>
9 #include <signal.h>
10
11 #include <arpa/inet.h>
12 #include <netinet/in.h>
13
14 #include <libubox/blobmsg_json.h>
15
16 #include "netifd.h"
17 #include "interface.h"
18 #include "interface-ip.h"
19 #include "proto.h"
20
21 static struct netifd_fd proto_fd;
22
23 enum proto_shell_sm {
24 S_IDLE,
25 S_SETUP,
26 S_SETUP_ABORT,
27 S_TEARDOWN,
28 };
29
30 struct proto_shell_handler {
31 struct list_head list;
32 struct proto_handler proto;
33 struct config_param_list config;
34 char *config_buf;
35 bool init_available;
36 char script_name[];
37 };
38
39 struct proto_shell_state {
40 struct interface_proto_state proto;
41 struct proto_shell_handler *handler;
42 struct blob_attr *config;
43
44 struct device_user l3_dev;
45
46 struct uloop_timeout teardown_timeout;
47
48 struct netifd_process script_task;
49 struct netifd_process proto_task;
50
51 enum proto_shell_sm sm;
52 bool proto_task_killed;
53
54 int last_error;
55 };
56
57 static int
58 proto_shell_handler(struct interface_proto_state *proto,
59 enum interface_proto_cmd cmd, bool force)
60 {
61 struct proto_shell_state *state;
62 struct proto_shell_handler *handler;
63 struct netifd_process *proc;
64 static char error_buf[32];
65 const char *argv[7];
66 char *envp[2];
67 const char *action;
68 char *config;
69 int ret, i = 0, j = 0;
70
71 state = container_of(proto, struct proto_shell_state, proto);
72 handler = state->handler;
73 proc = &state->script_task;
74
75 if (cmd == PROTO_CMD_SETUP) {
76 action = "setup";
77 state->last_error = -1;
78 } else {
79 if (state->sm == S_TEARDOWN)
80 return 0;
81
82 if (state->script_task.uloop.pending) {
83 if (state->sm != S_SETUP_ABORT) {
84 uloop_timeout_set(&state->teardown_timeout, 1000);
85 kill(state->script_task.uloop.pid, SIGTERM);
86 if (state->proto_task.uloop.pending)
87 kill(state->proto_task.uloop.pid, SIGTERM);
88 state->sm = S_SETUP_ABORT;
89 }
90 return 0;
91 }
92
93 action = "teardown";
94 state->sm = S_TEARDOWN;
95 if (state->last_error >= 0) {
96 snprintf(error_buf, sizeof(error_buf), "ERROR=%d", state->last_error);
97 envp[j++] = error_buf;
98 }
99 uloop_timeout_set(&state->teardown_timeout, 5000);
100 }
101
102 config = blobmsg_format_json(state->config, true);
103 if (!config)
104 return -1;
105
106 argv[i++] = handler->script_name;
107 argv[i++] = handler->proto.name;
108 argv[i++] = action;
109 argv[i++] = proto->iface->name;
110 argv[i++] = config;
111 if (proto->iface->main_dev.dev)
112 argv[i++] = proto->iface->main_dev.dev->ifname;
113 argv[i] = NULL;
114 envp[j] = NULL;
115
116 ret = netifd_start_process(argv, envp, proc);
117 free(config);
118
119 return ret;
120 }
121
122 static void
123 proto_shell_task_finish(struct proto_shell_state *state,
124 struct netifd_process *task)
125 {
126 switch (state->sm) {
127 case S_IDLE:
128 if (task == &state->proto_task)
129 state->proto.proto_event(&state->proto, IFPEV_LINK_LOST);
130 /* fall through */
131 case S_SETUP:
132 if (task == &state->proto_task)
133 proto_shell_handler(&state->proto, PROTO_CMD_TEARDOWN,
134 false);
135 break;
136
137 case S_SETUP_ABORT:
138 if (state->script_task.uloop.pending ||
139 state->proto_task.uloop.pending)
140 break;
141
142 uloop_timeout_cancel(&state->teardown_timeout);
143 state->sm = S_IDLE;
144 proto_shell_handler(&state->proto, PROTO_CMD_TEARDOWN, false);
145 break;
146
147 case S_TEARDOWN:
148 if (state->script_task.uloop.pending)
149 break;
150
151 if (state->proto_task.uloop.pending) {
152 if (!state->proto_task_killed)
153 kill(state->proto_task.uloop.pid, SIGTERM);
154 break;
155 }
156
157 uloop_timeout_cancel(&state->teardown_timeout);
158 state->sm = S_IDLE;
159 state->proto.proto_event(&state->proto, IFPEV_DOWN);
160 break;
161 }
162 }
163
164 static void
165 proto_shell_teardown_timeout_cb(struct uloop_timeout *timeout)
166 {
167 struct proto_shell_state *state;
168
169 state = container_of(timeout, struct proto_shell_state, teardown_timeout);
170
171 netifd_kill_process(&state->script_task);
172 netifd_kill_process(&state->proto_task);
173 proto_shell_task_finish(state, NULL);
174 }
175
176 static void
177 proto_shell_script_cb(struct netifd_process *p, int ret)
178 {
179 struct proto_shell_state *state;
180
181 state = container_of(p, struct proto_shell_state, script_task);
182 proto_shell_task_finish(state, p);
183 }
184
185 static void
186 proto_shell_task_cb(struct netifd_process *p, int ret)
187 {
188 struct proto_shell_state *state;
189
190 state = container_of(p, struct proto_shell_state, proto_task);
191
192 if (state->sm == S_IDLE || state->sm == S_SETUP)
193 state->last_error = WEXITSTATUS(ret);
194
195 proto_shell_task_finish(state, p);
196 }
197
198 static void
199 proto_shell_free(struct interface_proto_state *proto)
200 {
201 struct proto_shell_state *state;
202
203 state = container_of(proto, struct proto_shell_state, proto);
204 netifd_kill_process(&state->script_task);
205 netifd_kill_process(&state->proto_task);
206 free(state->config);
207 free(state);
208 }
209
210 static void
211 proto_shell_parse_route_list(struct interface *iface, struct blob_attr *attr,
212 bool v6)
213 {
214 struct blob_attr *cur;
215 int rem;
216
217 blobmsg_for_each_attr(cur, attr, rem) {
218 if (blobmsg_type(cur) != BLOBMSG_TYPE_TABLE) {
219 DPRINTF("Ignore wrong route type: %d\n", blobmsg_type(cur));
220 continue;
221 }
222
223 interface_ip_add_route(iface, cur, v6);
224 }
225 }
226
227 static struct device *
228 proto_shell_create_tunnel(const char *name, struct blob_attr *attr)
229 {
230 struct device *dev;
231 struct blob_buf b;
232
233 memset(&b, 0, sizeof(b));
234 blob_buf_init(&b, 0);
235 blob_put(&b, 0, blobmsg_data(attr), blobmsg_data_len(attr));
236 dev = device_create(name, &tunnel_device_type, blob_data(b.head));
237 blob_buf_free(&b);
238
239 return dev;
240 }
241
242 enum {
243 NOTIFY_ACTION,
244 NOTIFY_ERROR,
245 NOTIFY_COMMAND,
246 NOTIFY_ENV,
247 NOTIFY_SIGNAL,
248 NOTIFY_AVAILABLE,
249 NOTIFY_LINK_UP,
250 NOTIFY_IFNAME,
251 NOTIFY_ADDR_EXT,
252 NOTIFY_ROUTES,
253 NOTIFY_ROUTES6,
254 NOTIFY_TUNNEL,
255 __NOTIFY_LAST
256 };
257
258 static const struct blobmsg_policy notify_attr[__NOTIFY_LAST] = {
259 [NOTIFY_ACTION] = { .name = "action", .type = BLOBMSG_TYPE_INT32 },
260 [NOTIFY_ERROR] = { .name = "error", .type = BLOBMSG_TYPE_ARRAY },
261 [NOTIFY_COMMAND] = { .name = "command", .type = BLOBMSG_TYPE_ARRAY },
262 [NOTIFY_ENV] = { .name = "env", .type = BLOBMSG_TYPE_ARRAY },
263 [NOTIFY_SIGNAL] = { .name = "signal", .type = BLOBMSG_TYPE_INT32 },
264 [NOTIFY_AVAILABLE] = { .name = "available", .type = BLOBMSG_TYPE_BOOL },
265 [NOTIFY_LINK_UP] = { .name = "link-up", .type = BLOBMSG_TYPE_BOOL },
266 [NOTIFY_IFNAME] = { .name = "ifname", .type = BLOBMSG_TYPE_STRING },
267 [NOTIFY_ADDR_EXT] = { .name = "address-external", .type = BLOBMSG_TYPE_BOOL },
268 [NOTIFY_ROUTES] = { .name = "routes", .type = BLOBMSG_TYPE_ARRAY },
269 [NOTIFY_ROUTES6] = { .name = "routes6", .type = BLOBMSG_TYPE_ARRAY },
270 [NOTIFY_TUNNEL] = { .name = "tunnel", .type = BLOBMSG_TYPE_TABLE },
271 };
272
273 static int
274 proto_shell_update_link(struct proto_shell_state *state, struct blob_attr *data, struct blob_attr **tb)
275 {
276 struct interface *iface = state->proto.iface;
277 struct blob_attr *cur;
278 struct device *dev;
279 const char *devname;
280 int dev_create = 1;
281 bool addr_ext = false;
282 bool up;
283
284 if (!tb[NOTIFY_LINK_UP])
285 return UBUS_STATUS_INVALID_ARGUMENT;
286
287 up = blobmsg_get_bool(tb[NOTIFY_LINK_UP]);
288 if (!up) {
289 state->proto.proto_event(&state->proto, IFPEV_LINK_LOST);
290 return 0;
291 }
292
293 if ((cur = tb[NOTIFY_ADDR_EXT]) != NULL) {
294 addr_ext = blobmsg_get_bool(cur);
295 if (addr_ext)
296 dev_create = 2;
297 }
298
299 if (!tb[NOTIFY_IFNAME]) {
300 if (!iface->main_dev.dev)
301 return UBUS_STATUS_INVALID_ARGUMENT;
302 } else {
303 if (state->l3_dev.dev)
304 device_remove_user(&state->l3_dev);
305
306 devname = blobmsg_data(tb[NOTIFY_IFNAME]);
307 if (tb[NOTIFY_TUNNEL]) {
308 dev = proto_shell_create_tunnel(devname,
309 tb[NOTIFY_TUNNEL]);
310 if (!dev)
311 return UBUS_STATUS_INVALID_ARGUMENT;
312 } else {
313 dev = device_get(devname, dev_create);
314 if (!dev)
315 return UBUS_STATUS_NOT_FOUND;
316 }
317
318 device_add_user(&state->l3_dev, dev);
319 iface->l3_dev = &state->l3_dev;
320 device_claim(&state->l3_dev);
321 }
322
323 interface_update_start(iface);
324 proto_apply_ip_settings(iface, data, addr_ext);
325
326 if ((cur = tb[NOTIFY_ROUTES]) != NULL)
327 proto_shell_parse_route_list(state->proto.iface, cur, false);
328
329 if ((cur = tb[NOTIFY_ROUTES6]) != NULL)
330 proto_shell_parse_route_list(state->proto.iface, cur, true);
331
332 interface_update_complete(state->proto.iface);
333
334 state->proto.proto_event(&state->proto, IFPEV_UP);
335
336 return 0;
337 }
338
339 static bool
340 fill_string_list(struct blob_attr *attr, char **argv, int max)
341 {
342 struct blob_attr *cur;
343 int argc = 0;
344 int rem;
345
346 if (!attr)
347 goto out;
348
349 blobmsg_for_each_attr(cur, attr, rem) {
350 if (blobmsg_type(cur) != BLOBMSG_TYPE_STRING)
351 return false;
352
353 if (!blobmsg_check_attr(cur, NULL))
354 return false;
355
356 argv[argc++] = blobmsg_data(cur);
357 if (argc == max - 1)
358 return false;
359 }
360
361 out:
362 argv[argc] = NULL;
363 return true;
364 }
365
366 static int
367 proto_shell_run_command(struct proto_shell_state *state, struct blob_attr **tb)
368 {
369 static char *argv[64];
370 static char *env[32];
371
372 if (!tb[NOTIFY_COMMAND])
373 goto error;
374
375 if (!fill_string_list(tb[NOTIFY_COMMAND], argv, ARRAY_SIZE(argv)))
376 goto error;
377
378 if (!fill_string_list(tb[NOTIFY_ENV], env, ARRAY_SIZE(env)))
379 goto error;
380
381 netifd_start_process((const char **) argv, (char **) env, &state->proto_task);
382
383 return 0;
384
385 error:
386 return UBUS_STATUS_INVALID_ARGUMENT;
387 }
388
389 static int
390 proto_shell_kill_command(struct proto_shell_state *state, struct blob_attr **tb)
391 {
392 unsigned int signal = ~0;
393
394 if (tb[NOTIFY_SIGNAL])
395 signal = blobmsg_get_u32(tb[NOTIFY_SIGNAL]);
396
397 if (signal > 31)
398 signal = SIGTERM;
399
400 if (state->proto_task.uloop.pending) {
401 state->proto_task_killed = true;
402 kill(state->proto_task.uloop.pid, signal);
403 }
404
405 return 0;
406 }
407
408 static int
409 proto_shell_notify_error(struct proto_shell_state *state, struct blob_attr **tb)
410 {
411 struct blob_attr *cur;
412 char *data[16];
413 int n_data = 0;
414 int rem;
415
416 if (!tb[NOTIFY_ERROR])
417 return UBUS_STATUS_INVALID_ARGUMENT;
418
419 blobmsg_for_each_attr(cur, tb[NOTIFY_ERROR], rem) {
420 if (n_data + 1 == ARRAY_SIZE(data))
421 goto error;
422
423 if (blobmsg_type(cur) != BLOBMSG_TYPE_STRING)
424 goto error;
425
426 if (!blobmsg_check_attr(cur, NULL))
427 goto error;
428
429 data[n_data++] = blobmsg_data(cur);
430 }
431
432 if (!n_data)
433 goto error;
434
435 interface_add_error(state->proto.iface, state->handler->proto.name,
436 data[0], (const char **) &data[1], n_data - 1);
437
438 return 0;
439
440 error:
441 return UBUS_STATUS_INVALID_ARGUMENT;
442 }
443
444 static int
445 proto_shell_block_restart(struct proto_shell_state *state, struct blob_attr **tb)
446 {
447 state->proto.iface->autostart = false;
448 return 0;
449 }
450
451 static int
452 proto_shell_set_available(struct proto_shell_state *state, struct blob_attr **tb)
453 {
454 if (!tb[NOTIFY_AVAILABLE])
455 return UBUS_STATUS_INVALID_ARGUMENT;
456
457 interface_set_available(state->proto.iface, blobmsg_get_bool(tb[NOTIFY_AVAILABLE]));
458 return 0;
459 }
460
461 static int
462 proto_shell_notify(struct interface_proto_state *proto, struct blob_attr *attr)
463 {
464 struct proto_shell_state *state;
465 struct blob_attr *tb[__NOTIFY_LAST];
466
467 state = container_of(proto, struct proto_shell_state, proto);
468
469 blobmsg_parse(notify_attr, __NOTIFY_LAST, tb, blob_data(attr), blob_len(attr));
470 if (!tb[NOTIFY_ACTION])
471 return UBUS_STATUS_INVALID_ARGUMENT;
472
473 switch(blobmsg_get_u32(tb[NOTIFY_ACTION])) {
474 case 0:
475 return proto_shell_update_link(state, attr, tb);
476 case 1:
477 return proto_shell_run_command(state, tb);
478 case 2:
479 return proto_shell_kill_command(state, tb);
480 case 3:
481 return proto_shell_notify_error(state, tb);
482 case 4:
483 return proto_shell_block_restart(state, tb);
484 case 5:
485 return proto_shell_set_available(state, tb);
486 default:
487 return UBUS_STATUS_INVALID_ARGUMENT;
488 }
489 }
490
491 static struct interface_proto_state *
492 proto_shell_attach(const struct proto_handler *h, struct interface *iface,
493 struct blob_attr *attr)
494 {
495 struct proto_shell_state *state;
496
497 state = calloc(1, sizeof(*state));
498 state->config = malloc(blob_pad_len(attr));
499 if (!state->config)
500 goto error;
501
502 memcpy(state->config, attr, blob_pad_len(attr));
503 state->proto.free = proto_shell_free;
504 state->proto.notify = proto_shell_notify;
505 state->proto.cb = proto_shell_handler;
506 state->teardown_timeout.cb = proto_shell_teardown_timeout_cb;
507 state->script_task.cb = proto_shell_script_cb;
508 state->script_task.dir_fd = proto_fd.fd;
509 state->script_task.log_prefix = iface->name;
510 state->proto_task.cb = proto_shell_task_cb;
511 state->proto_task.dir_fd = proto_fd.fd;
512 state->proto_task.log_prefix = iface->name;
513 state->handler = container_of(h, struct proto_shell_handler, proto);
514
515 return &state->proto;
516
517 error:
518 free(state);
519 return NULL;
520 }
521
522 static json_object *
523 check_type(json_object *obj, json_type type)
524 {
525 if (!obj)
526 return NULL;
527
528 if (json_object_get_type(obj) != type)
529 return NULL;
530
531 return obj;
532 }
533
534 static inline json_object *
535 get_field(json_object *obj, const char *name, json_type type)
536 {
537 return check_type(json_object_object_get(obj, name), type);
538 }
539
540 static char *
541 proto_shell_parse_config(struct config_param_list *config, json_object *obj)
542 {
543 struct blobmsg_policy *attrs;
544 char *str_buf, *str_cur;
545 int str_len = 0;
546 int i;
547
548 config->n_params = json_object_array_length(obj);
549 attrs = calloc(1, sizeof(*attrs) * config->n_params);
550 if (!attrs)
551 return NULL;
552
553 config->params = attrs;
554 for (i = 0; i < config->n_params; i++) {
555 json_object *cur, *name, *type;
556
557 cur = check_type(json_object_array_get_idx(obj, i), json_type_array);
558 if (!cur)
559 goto error;
560
561 name = check_type(json_object_array_get_idx(cur, 0), json_type_string);
562 if (!name)
563 goto error;
564
565 type = check_type(json_object_array_get_idx(cur, 1), json_type_int);
566 if (!type)
567 goto error;
568
569 attrs[i].name = json_object_get_string(name);
570 attrs[i].type = json_object_get_int(type);
571 if (attrs[i].type > BLOBMSG_TYPE_LAST)
572 goto error;
573
574 str_len += strlen(attrs[i].name) + 1;
575 }
576
577 str_buf = malloc(str_len);
578 if (!str_buf)
579 goto error;
580
581 str_cur = str_buf;
582 for (i = 0; i < config->n_params; i++) {
583 const char *name = attrs[i].name;
584
585 attrs[i].name = str_cur;
586 str_cur += sprintf(str_cur, "%s", name) + 1;
587 }
588
589 return str_buf;
590
591 error:
592 free(attrs);
593 config->n_params = 0;
594 return NULL;
595 }
596
597 static void
598 proto_shell_add_handler(const char *script, json_object *obj)
599 {
600 struct proto_shell_handler *handler;
601 struct proto_handler *proto;
602 json_object *config, *tmp;
603 const char *name;
604 char *str;
605
606 if (!check_type(obj, json_type_object))
607 return;
608
609 tmp = get_field(obj, "name", json_type_string);
610 if (!tmp)
611 return;
612
613 name = json_object_get_string(tmp);
614
615 handler = calloc(1, sizeof(*handler) +
616 strlen(script) + 1 +
617 strlen(name) + 1);
618 if (!handler)
619 return;
620
621 strcpy(handler->script_name, script);
622
623 str = handler->script_name + strlen(handler->script_name) + 1;
624 strcpy(str, name);
625
626 proto = &handler->proto;
627 proto->name = str;
628 proto->config_params = &handler->config;
629 proto->attach = proto_shell_attach;
630
631 tmp = get_field(obj, "no-device", json_type_boolean);
632 if (tmp && json_object_get_boolean(tmp))
633 handler->proto.flags |= PROTO_FLAG_NODEV;
634
635 tmp = get_field(obj, "available", json_type_boolean);
636 if (tmp && json_object_get_boolean(tmp))
637 handler->proto.flags |= PROTO_FLAG_INIT_AVAILABLE;
638
639 config = get_field(obj, "config", json_type_array);
640 if (config)
641 handler->config_buf = proto_shell_parse_config(&handler->config, config);
642
643 DPRINTF("Add handler for script %s: %s\n", script, proto->name);
644 add_proto_handler(proto);
645 }
646
647 static void proto_shell_add_script(const char *name)
648 {
649 struct json_tokener *tok = NULL;
650 json_object *obj;
651 static char buf[512];
652 char *start, *cmd;
653 FILE *f;
654 int len;
655
656 #define DUMP_SUFFIX " '' dump"
657
658 cmd = alloca(strlen(name) + 1 + sizeof(DUMP_SUFFIX));
659 sprintf(cmd, "%s" DUMP_SUFFIX, name);
660
661 f = popen(cmd, "r");
662 if (!f)
663 return;
664
665 do {
666 start = fgets(buf, sizeof(buf), f);
667 if (!start)
668 continue;
669
670 len = strlen(start);
671
672 if (!tok)
673 tok = json_tokener_new();
674
675 obj = json_tokener_parse_ex(tok, start, len);
676 if (!is_error(obj)) {
677 proto_shell_add_handler(name, obj);
678 json_object_put(obj);
679 json_tokener_free(tok);
680 tok = NULL;
681 } else if (start[len - 1] == '\n') {
682 json_tokener_free(tok);
683 tok = NULL;
684 }
685 } while (!feof(f) && !ferror(f));
686
687 if (tok)
688 json_tokener_free(tok);
689
690 pclose(f);
691 }
692
693 static void __init proto_shell_init(void)
694 {
695 glob_t g;
696 int main_fd;
697 int i;
698
699 main_fd = open(".", O_RDONLY | O_DIRECTORY);
700 if (main_fd < 0)
701 return;
702
703 if (chdir(main_path)) {
704 perror("chdir(main path)");
705 goto close_cur;
706 }
707
708 if (chdir("./proto"))
709 goto close_cur;
710
711 proto_fd.fd = open(".", O_RDONLY | O_DIRECTORY);
712 if (proto_fd.fd < 0)
713 goto close_cur;
714
715 netifd_fd_add(&proto_fd);
716 glob("./*.sh", 0, NULL, &g);
717 for (i = 0; i < g.gl_pathc; i++)
718 proto_shell_add_script(g.gl_pathv[i]);
719
720 close_cur:
721 fchdir(main_fd);
722 close(main_fd);
723 }
OpenWrt Network interface configuration daemon