Use ref counting for network during SignalPoll method call of wpa_supplicant.submit/tizen/20200811.004738accepted/tizen/unified/20200812.144017

Description: This patch fixes the issue in which dangling network pointer
is present as user_data of signalpoll_callback.

This dangling pointer crashes connman with below backtrace:-

>>> bt
\#0  connman_device_get_ident (device=0x6e6f632f) at src/device.c:592
\#1  0xb6f54994 in __connman_network_get_ident (network=network@entry=0xb87715b0) at src/network.c:1560
\#2  0xb6f652da in connman_service_lookup_from_network (network=network@entry=0xb87715b0) at src/service.c:10177
\#3  0xb6f655ee in __connman_service_notify_strength_changed (network=network@entry=0xb87715b0) at src/service.c:10523
\#4  0xb6f5527c in connman_network_set_strength (network=network@entry=0xb87715b0, strength=strength@entry=69 'E') at src/network.c:2704
\#5  0xb6f36ac0 in signalpoll_callback (result=<optimized out>, maxspeed=39, strength=69, user_data=0xb87715b0) at plugins/wifi.c:3866
\#6  0xb6f3b68e in interface_signalpoll_result (error=<optimized out>, iter=<optimized out>, user_data=0xb8782af8) at gsupplicant/supplicant.c:6348
\#7  0xb6f4335a in method_call_reply (call=0xb8771ec0, user_data=0xb8782c98) at gsupplicant/dbus.c:476
\#8  0xb6da23a4 in ?? () from /lib/libdbus-1.so.3
\#9  0xb6da5fa0 in dbus_connection_dispatch () from /lib/libdbus-1.so.3
\#10 0xb6f94dce in message_dispatch (data=0xb875fe78) at gdbus/mainloop.c:72
\#11 0xb6e21d84 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
\#12 0xb6e22008 in ?? () from /lib/libglib-2.0.so.0
\#13 0xb6e22268 in g_main_loop_run () from /lib/libglib-2.0.so.0
\#14 0xb6f29d3e in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:1373

Change-Id: Ia171c2ddabf6a4f9c3d6a6bbd3763398b6e0ce46
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>

2 files changed, 11 insertions, 6 deletions

diff --git a/packaging/connman.spec b/packaging/connman.spec
index 275161f3..ff83e103 100644
--- a/packaging/connman.spec
+++ b/packaging/connman.spec
@@ -5,7 +5,7 @@
 
 Name:           connman
 Version:        1.37
-Release:        42
+Release:        43
 License:        GPL-2.0+
 Summary:        Connection Manager
 Url:            http://connman.net
diff --git a/plugins/wifi.c b/plugins/wifi.c
index 2f70ee70..d998967f 100755
--- a/plugins/wifi.c
+++ b/plugins/wifi.c
@@ -3854,6 +3854,7 @@ static void signalpoll_callback(int result, int maxspeed, int strength,
 
 	if (result != 0) {
 		DBG("Failed to get maxspeed from signalpoll !");
+		connman_network_unref(network);
 		return;
 	}
 
@@ -3862,11 +3863,12 @@ static void signalpoll_callback(int result, int maxspeed, int strength,
 		strength = 100;
 
 	DBG("maxspeed = %d, strength = %d", maxspeed, strength);
-	if (network) {
-		connman_network_set_strength(network, (uint8_t)strength);
-		connman_network_set_maxspeed(network, maxspeed);
-		set_connection_mode(network, maxspeed);
-	}
+
+	connman_network_set_strength(network, (uint8_t)strength);
+	connman_network_set_maxspeed(network, maxspeed);
+	set_connection_mode(network, maxspeed);
+
+	connman_network_unref(network);
 }
 
 static int network_signalpoll(struct wifi_data *wifi)
@@ -3877,6 +3879,8 @@ static int network_signalpoll(struct wifi_data *wifi)
 	if (!wifi || !wifi->network)
 		return -ENODEV;
 
+	wifi->network = connman_network_ref(wifi->network);
+
 	interface = wifi->interface;
 	network = wifi->network;
 
@@ -3898,6 +3902,7 @@ static gboolean autosignalpoll_timeout(gpointer data)
 	if (ret < 0) {
 		DBG("Fail to get max speed !!");
 		wifi->automaxspeed_timeout = 0;
+		connman_network_unref(wifi->network);
 		return FALSE;
 	}