Version in base suite: 1.36-2.2 Base version: connman_1.36-2.2 Target version: connman_1.36-2.2+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/connman/connman_1.36-2.2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/connman/connman_1.36-2.2+deb11u1.dsc changelog | 18 + patches/dnsproxy-Avoid-100-busy-loop-in-TCP-server-case.patch | 45 ++ patches/dnsproxy-Keep-timeout-in-TCP-case-even-after-connect.patch | 37 ++ patches/dnsproxy-Simplify-udp_server_event.patch | 40 ++ patches/dnsproxy-Validate-input-data-before-using-them.patch | 117 +++++++ patches/gweb-Fix-OOB-write-in-received_data.patch | 34 ++ patches/series | 7 patches/wispr-Add-reference-counter-to-portal-context.patch | 128 ++++++++ patches/wispr-Update-portal-context-references.patch | 160 ++++++++++ 9 files changed, 586 insertions(+) diff -Nru connman-1.36/debian/changelog connman-1.36/debian/changelog --- connman-1.36/debian/changelog 2021-06-09 18:48:07.000000000 +0000 +++ connman-1.36/debian/changelog 2022-09-03 18:04:37.000000000 +0000 @@ -1,3 +1,21 @@ +connman (1.36-2.2+deb11u1) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * dnsproxy: Simplify udp_server_event() + * dnsproxy: Validate input data before using them (CVE-2022-23096, + CVE-2022-23097) (Closes: #1004935) + * dnsproxy: Avoid 100 % busy loop in TCP server case (CVE-2022-23098) + (Closes: #1004935) + * dnsproxy: Keep timeout in TCP case even after connection is established + (CVE-2022-23098) (Closes: #1004935) + * gweb: Fix OOB write in received_data() (CVE-2022-32292) (Closes: #1016976) + * wispr: Add reference counter to portal context (CVE-2022-32293) + (Closes: #1016976) + * wispr: Update portal context references (CVE-2022-32293) + (Closes: #1016976) + + -- Salvatore Bonaccorso Sat, 03 Sep 2022 20:04:37 +0200 + connman (1.36-2.2) unstable; urgency=high * Non-maintainer upload. diff -Nru connman-1.36/debian/patches/dnsproxy-Avoid-100-busy-loop-in-TCP-server-case.patch connman-1.36/debian/patches/dnsproxy-Avoid-100-busy-loop-in-TCP-server-case.patch --- connman-1.36/debian/patches/dnsproxy-Avoid-100-busy-loop-in-TCP-server-case.patch 1970-01-01 00:00:00.000000000 +0000 +++ connman-1.36/debian/patches/dnsproxy-Avoid-100-busy-loop-in-TCP-server-case.patch 2022-09-03 17:14:17.000000000 +0000 @@ -0,0 +1,45 @@ +From: Matthias Gerstner +Date: Tue, 25 Jan 2022 10:00:25 +0100 +Subject: dnsproxy: Avoid 100 % busy loop in TCP server case +Origin: https://git.kernel.org/pub/scm/network/connman/connman.git/commit?id=d8708b85c1e8fe25af7803e8a20cf20e7201d8a4 +Bug-Debian: https://bugs.debian.org/1004935 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-23098 + +Once the TCP socket is connected and until the remote server is +responding (if ever) ConnMan executes a 100 % CPU loop, since +the connected socket will always be writable (G_IO_OUT). + +To fix this, modify the watch after the connection is established to +remove the G_IO_OUT from the callback conditions. + +Fixes: CVE-2022-23098 +--- + src/dnsproxy.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/dnsproxy.c b/src/dnsproxy.c +index c027bcb972c4..1ccf36a95a35 100644 +--- a/src/dnsproxy.c ++++ b/src/dnsproxy.c +@@ -2360,6 +2360,18 @@ hangup: + } + } + ++ /* ++ * Remove the G_IO_OUT flag from the watch, otherwise we end ++ * up in a busy loop, because the socket is constantly writable. ++ * ++ * There seems to be no better way in g_io to do that than ++ * re-adding the watch. ++ */ ++ g_source_remove(server->watch); ++ server->watch = g_io_add_watch(server->channel, ++ G_IO_IN | G_IO_HUP | G_IO_NVAL | G_IO_ERR, ++ tcp_server_event, server); ++ + server->connected = true; + server_list = g_slist_append(server_list, server); + +-- +2.37.2 + diff -Nru connman-1.36/debian/patches/dnsproxy-Keep-timeout-in-TCP-case-even-after-connect.patch connman-1.36/debian/patches/dnsproxy-Keep-timeout-in-TCP-case-even-after-connect.patch --- connman-1.36/debian/patches/dnsproxy-Keep-timeout-in-TCP-case-even-after-connect.patch 1970-01-01 00:00:00.000000000 +0000 +++ connman-1.36/debian/patches/dnsproxy-Keep-timeout-in-TCP-case-even-after-connect.patch 2022-09-03 17:15:17.000000000 +0000 @@ -0,0 +1,37 @@ +From: Matthias Gerstner +Date: Tue, 25 Jan 2022 10:00:26 +0100 +Subject: dnsproxy: Keep timeout in TCP case even after connection is + established +Origin: https://git.kernel.org/pub/scm/network/connman/connman.git/commit?id=5c34313a196515c80fe78a2862ad78174b985be5 +Bug-Debian: https://bugs.debian.org/1004935 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-23098 + +If an outgoing TCP connection succeeds but the remote server never sends +back any data then currently the TCP connection will never be +terminated by connmand. + +To prevent this keep the connection timeout of 30 seconds active even +after the connection has been established. +--- + src/dnsproxy.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/src/dnsproxy.c b/src/dnsproxy.c +index 1ccf36a95a35..cf1d36c74496 100644 +--- a/src/dnsproxy.c ++++ b/src/dnsproxy.c +@@ -2375,11 +2375,6 @@ hangup: + server->connected = true; + server_list = g_slist_append(server_list, server); + +- if (server->timeout > 0) { +- g_source_remove(server->timeout); +- server->timeout = 0; +- } +- + for (list = request_list; list; ) { + struct request_data *req = list->data; + int status; +-- +2.37.2 + diff -Nru connman-1.36/debian/patches/dnsproxy-Simplify-udp_server_event.patch connman-1.36/debian/patches/dnsproxy-Simplify-udp_server_event.patch --- connman-1.36/debian/patches/dnsproxy-Simplify-udp_server_event.patch 1970-01-01 00:00:00.000000000 +0000 +++ connman-1.36/debian/patches/dnsproxy-Simplify-udp_server_event.patch 2022-09-03 17:11:56.000000000 +0000 @@ -0,0 +1,40 @@ +From: Slava Monich +Date: Thu, 23 Aug 2018 18:24:41 +0300 +Subject: dnsproxy: Simplify udp_server_event() +Origin: https://git.kernel.org/pub/scm/network/connman/connman.git/commit?id=de020cc7e8ad11f81c879f60f22348f8a7798d4c + +--- + src/dnsproxy.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/src/dnsproxy.c b/src/dnsproxy.c +index 1db3eae9cb47..49bc395c733a 100644 +--- a/src/dnsproxy.c ++++ b/src/dnsproxy.c +@@ -2231,7 +2231,7 @@ static gboolean udp_server_event(GIOChannel *channel, GIOCondition condition, + gpointer user_data) + { + unsigned char buf[4096]; +- int sk, err, len; ++ int sk, len; + struct server_data *data = user_data; + + if (condition & (G_IO_NVAL | G_IO_ERR | G_IO_HUP)) { +@@ -2243,12 +2243,9 @@ static gboolean udp_server_event(GIOChannel *channel, GIOCondition condition, + sk = g_io_channel_unix_get_fd(channel); + + len = recv(sk, buf, sizeof(buf), 0); +- if (len < 12) +- return TRUE; + +- err = forward_dns_reply(buf, len, IPPROTO_UDP, data); +- if (err < 0) +- return TRUE; ++ if (len >= 12) ++ forward_dns_reply(buf, len, IPPROTO_UDP, data); + + return TRUE; + } +-- +2.37.2 + diff -Nru connman-1.36/debian/patches/dnsproxy-Validate-input-data-before-using-them.patch connman-1.36/debian/patches/dnsproxy-Validate-input-data-before-using-them.patch --- connman-1.36/debian/patches/dnsproxy-Validate-input-data-before-using-them.patch 1970-01-01 00:00:00.000000000 +0000 +++ connman-1.36/debian/patches/dnsproxy-Validate-input-data-before-using-them.patch 2022-09-03 17:12:21.000000000 +0000 @@ -0,0 +1,117 @@ +From: Daniel Wagner +Date: Tue, 25 Jan 2022 10:00:24 +0100 +Subject: dnsproxy: Validate input data before using them +Origin: https://git.kernel.org/pub/scm/network/connman/connman.git/commit?id=e5a313736e13c90d19085e953a26256a198e4950 +Bug-Debian: https://bugs.debian.org/1004935 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-23097 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-23096 + +dnsproxy is not validating various input data. Add a bunch of checks. + +Fixes: CVE-2022-23097 +Fixes: CVE-2022-23096 +--- + src/dnsproxy.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +diff --git a/src/dnsproxy.c b/src/dnsproxy.c +index cdfafbc292f2..c027bcb972c4 100644 +--- a/src/dnsproxy.c ++++ b/src/dnsproxy.c +@@ -1951,6 +1951,12 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, + + if (offset < 0) + return offset; ++ if (reply_len < 0) ++ return -EINVAL; ++ if (reply_len < offset + 1) ++ return -EINVAL; ++ if ((size_t)reply_len < sizeof(struct domain_hdr)) ++ return -EINVAL; + + hdr = (void *)(reply + offset); + dns_id = reply[offset] | reply[offset + 1] << 8; +@@ -1986,23 +1992,31 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, + */ + if (req->append_domain && ntohs(hdr->qdcount) == 1) { + uint16_t domain_len = 0; +- uint16_t header_len; ++ uint16_t header_len, payload_len; + uint16_t dns_type, dns_class; + uint8_t host_len, dns_type_pos; + char uncompressed[NS_MAXDNAME], *uptr; + char *ptr, *eom = (char *)reply + reply_len; ++ char *domain; + + /* + * ptr points to the first char of the hostname. + * ->hostname.domain.net + */ + header_len = offset + sizeof(struct domain_hdr); ++ if (reply_len < header_len) ++ return -EINVAL; ++ payload_len = reply_len - header_len; ++ + ptr = (char *)reply + header_len; + + host_len = *ptr; ++ domain = ptr + 1 + host_len; ++ if (domain > eom) ++ return -EINVAL; ++ + if (host_len > 0) +- domain_len = strnlen(ptr + 1 + host_len, +- reply_len - header_len); ++ domain_len = strnlen(domain, eom - domain); + + /* + * If the query type is anything other than A or AAAA, +@@ -2011,6 +2025,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, + */ + dns_type_pos = host_len + 1 + domain_len + 1; + ++ if (ptr + (dns_type_pos + 3) > eom) ++ return -EINVAL; + dns_type = ptr[dns_type_pos] << 8 | + ptr[dns_type_pos + 1]; + dns_class = ptr[dns_type_pos + 2] << 8 | +@@ -2040,6 +2056,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, + int new_len, fixed_len; + char *answers; + ++ if (len > payload_len) ++ return -EINVAL; + /* + * First copy host (without domain name) into + * tmp buffer. +@@ -2054,6 +2072,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, + * Copy type and class fields of the question. + */ + ptr += len + domain_len + 1; ++ if (ptr + NS_QFIXEDSZ > eom) ++ return -EINVAL; + memcpy(uptr, ptr, NS_QFIXEDSZ); + + /* +@@ -2063,6 +2083,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, + uptr += NS_QFIXEDSZ; + answers = uptr; + fixed_len = answers - uncompressed; ++ if (ptr + offset > eom) ++ return -EINVAL; + + /* + * We then uncompress the result to buffer +@@ -2257,8 +2279,7 @@ static gboolean udp_server_event(GIOChannel *channel, GIOCondition condition, + + len = recv(sk, buf, sizeof(buf), 0); + +- if (len >= 12) +- forward_dns_reply(buf, len, IPPROTO_UDP, data); ++ forward_dns_reply(buf, len, IPPROTO_UDP, data); + + return TRUE; + } +-- +2.37.2 + diff -Nru connman-1.36/debian/patches/gweb-Fix-OOB-write-in-received_data.patch connman-1.36/debian/patches/gweb-Fix-OOB-write-in-received_data.patch --- connman-1.36/debian/patches/gweb-Fix-OOB-write-in-received_data.patch 1970-01-01 00:00:00.000000000 +0000 +++ connman-1.36/debian/patches/gweb-Fix-OOB-write-in-received_data.patch 2022-09-03 17:27:24.000000000 +0000 @@ -0,0 +1,34 @@ +From: Nathan Crandall +Date: Tue, 12 Jul 2022 08:56:34 +0200 +Subject: gweb: Fix OOB write in received_data() +Origin: https://git.kernel.org/pub/scm/network/connman/connman.git/commit?id=d1a5ede5d255bde8ef707f8441b997563b9312bd +Bug-Debian: https://bugs.debian.org/1016976 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-32292 + +There is a mismatch of handling binary vs. C-string data with memchr +and strlen, resulting in pos, count, and bytes_read to become out of +sync and result in a heap overflow. Instead, do not treat the buffer +as an ASCII C-string. We calculate the count based on the return value +of memchr, instead of strlen. + +Fixes: CVE-2022-32292 +--- + gweb/gweb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gweb/gweb.c b/gweb/gweb.c +index 12fcb1d8ab32..13c6c5f25102 100644 +--- a/gweb/gweb.c ++++ b/gweb/gweb.c +@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, + } + + *pos = '\0'; +- count = strlen((char *) ptr); ++ count = pos - ptr; + if (count > 0 && ptr[count - 1] == '\r') { + ptr[--count] = '\0'; + bytes_read--; +-- +2.37.2 + diff -Nru connman-1.36/debian/patches/series connman-1.36/debian/patches/series --- connman-1.36/debian/patches/series 2021-06-09 18:47:04.000000000 +0000 +++ connman-1.36/debian/patches/series 2022-09-03 18:01:27.000000000 +0000 @@ -5,3 +5,10 @@ gdhcp-Avoid-leaking-stack-data-via-unitiialized-vari.patch dnsproxy-Add-length-checks-to-prevent-buffer-overflo.patch dnsproxy-Check-the-length-of-buffers-before-memcpy.patch +dnsproxy-Simplify-udp_server_event.patch +dnsproxy-Validate-input-data-before-using-them.patch +dnsproxy-Avoid-100-busy-loop-in-TCP-server-case.patch +dnsproxy-Keep-timeout-in-TCP-case-even-after-connect.patch +gweb-Fix-OOB-write-in-received_data.patch +wispr-Add-reference-counter-to-portal-context.patch +wispr-Update-portal-context-references.patch diff -Nru connman-1.36/debian/patches/wispr-Add-reference-counter-to-portal-context.patch connman-1.36/debian/patches/wispr-Add-reference-counter-to-portal-context.patch --- connman-1.36/debian/patches/wispr-Add-reference-counter-to-portal-context.patch 1970-01-01 00:00:00.000000000 +0000 +++ connman-1.36/debian/patches/wispr-Add-reference-counter-to-portal-context.patch 2022-09-03 18:00:27.000000000 +0000 @@ -0,0 +1,128 @@ +From: Daniel Wagner +Date: Tue, 5 Jul 2022 08:32:12 +0200 +Subject: wispr: Add reference counter to portal context +Origin: https://git.kernel.org/pub/scm/network/connman/connman.git/commit?id=72343929836de80727a27d6744c869dff045757c +Bug-Debian: https://bugs.debian.org/1016976 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-32293 + +Track the connman_wispr_portal_context live time via a +refcounter. This only adds the infrastructure to do proper reference +counting. + +Fixes: CVE-2022-32293 +[Salvatore Bonaccorso: Backport to 1.36: Drop changes around f0bd0e8fe578 +("service: Add online to ready transition feature") upstream in 1.40] +--- + src/wispr.c | 52 ++++++++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 42 insertions(+), 10 deletions(-) + +--- a/src/wispr.c ++++ b/src/wispr.c +@@ -59,6 +59,7 @@ struct wispr_route { + }; + + struct connman_wispr_portal_context { ++ int refcount; + struct connman_service *service; + enum connman_ipconfig_type type; + struct connman_wispr_portal *wispr_portal; +@@ -96,6 +97,11 @@ static bool wispr_portal_web_result(GWeb + + static GHashTable *wispr_portal_list = NULL; + ++#define wispr_portal_context_ref(wp_context) \ ++ wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__) ++#define wispr_portal_context_unref(wp_context) \ ++ wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__) ++ + static void connman_wispr_message_init(struct connman_wispr_message *msg) + { + DBG(""); +@@ -161,9 +167,6 @@ static void free_connman_wispr_portal_co + { + DBG("context %p", wp_context); + +- if (!wp_context) +- return; +- + if (wp_context->wispr_portal) { + if (wp_context->wispr_portal->ipv4_context == wp_context) + wp_context->wispr_portal->ipv4_context = NULL; +@@ -200,9 +203,38 @@ static void free_connman_wispr_portal_co + g_free(wp_context); + } + ++static struct connman_wispr_portal_context * ++wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context, ++ const char *file, int line, const char *caller) ++{ ++ DBG("%p ref %d by %s:%d:%s()", wp_context, ++ wp_context->refcount + 1, file, line, caller); ++ ++ __sync_fetch_and_add(&wp_context->refcount, 1); ++ ++ return wp_context; ++} ++ ++static void wispr_portal_context_unref_debug( ++ struct connman_wispr_portal_context *wp_context, ++ const char *file, int line, const char *caller) ++{ ++ if (!wp_context) ++ return; ++ ++ DBG("%p ref %d by %s:%d:%s()", wp_context, ++ wp_context->refcount - 1, file, line, caller); ++ ++ if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1) ++ return; ++ ++ free_connman_wispr_portal_context(wp_context); ++} ++ + static struct connman_wispr_portal_context *create_wispr_portal_context(void) + { +- return g_try_new0(struct connman_wispr_portal_context, 1); ++ return wispr_portal_context_ref( ++ g_new0(struct connman_wispr_portal_context, 1)); + } + + static void free_connman_wispr_portal(gpointer data) +@@ -214,8 +246,8 @@ static void free_connman_wispr_portal(gp + if (!wispr_portal) + return; + +- free_connman_wispr_portal_context(wispr_portal->ipv4_context); +- free_connman_wispr_portal_context(wispr_portal->ipv6_context); ++ wispr_portal_context_unref(wispr_portal->ipv4_context); ++ wispr_portal_context_unref(wispr_portal->ipv6_context); + + g_free(wispr_portal); + } +@@ -592,7 +624,7 @@ static void wispr_portal_request_wispr_l + return; + } + +- free_connman_wispr_portal_context(wp_context); ++ wispr_portal_context_unref(wp_context); + return; + } + +@@ -903,7 +935,7 @@ static int wispr_portal_detect(struct co + + if (wp_context->token == 0) { + err = -EINVAL; +- free_connman_wispr_portal_context(wp_context); ++ wispr_portal_context_unref(wp_context); + } + } else if (wp_context->timeout == 0) { + wp_context->timeout = g_idle_add(no_proxy_callback, wp_context); +@@ -952,7 +984,7 @@ int __connman_wispr_start(struct connman + + /* If there is already an existing context, we wipe it */ + if (wp_context) +- free_connman_wispr_portal_context(wp_context); ++ wispr_portal_context_unref(wp_context); + + wp_context = create_wispr_portal_context(); + if (!wp_context) diff -Nru connman-1.36/debian/patches/wispr-Update-portal-context-references.patch connman-1.36/debian/patches/wispr-Update-portal-context-references.patch --- connman-1.36/debian/patches/wispr-Update-portal-context-references.patch 1970-01-01 00:00:00.000000000 +0000 +++ connman-1.36/debian/patches/wispr-Update-portal-context-references.patch 2022-09-03 18:03:28.000000000 +0000 @@ -0,0 +1,160 @@ +From: Daniel Wagner +Date: Tue, 5 Jul 2022 09:11:09 +0200 +Subject: wispr: Update portal context references +Origin: https://git.kernel.org/pub/scm/network/connman/connman.git/commit?id=416bfaff988882c553c672e5bfc2d4f648d29e8a +Bug-Debian: https://bugs.debian.org/1016976 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-32293 + +Maintain proper portal context references to avoid UAF. + +Fixes: CVE-2022-32293 +[Salvatore Bonaccorso: Backport to 1.36: Drop changes around f0bd0e8fe578 +("service: Add online to ready transition feature") upstream in 1.40] +--- + src/wispr.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +--- a/src/wispr.c ++++ b/src/wispr.c +@@ -104,8 +104,6 @@ static GHashTable *wispr_portal_list = N + + static void connman_wispr_message_init(struct connman_wispr_message *msg) + { +- DBG(""); +- + msg->has_error = false; + msg->current_element = NULL; + +@@ -165,8 +163,6 @@ static void free_wispr_routes(struct con + static void free_connman_wispr_portal_context( + struct connman_wispr_portal_context *wp_context) + { +- DBG("context %p", wp_context); +- + if (wp_context->wispr_portal) { + if (wp_context->wispr_portal->ipv4_context == wp_context) + wp_context->wispr_portal->ipv4_context = NULL; +@@ -541,14 +537,17 @@ static void wispr_portal_request_portal( + { + DBG(""); + ++ wispr_portal_context_ref(wp_context); + wp_context->request_id = g_web_request_get(wp_context->web, + wp_context->status_url, + wispr_portal_web_result, + wispr_route_request, + wp_context); + +- if (wp_context->request_id == 0) ++ if (wp_context->request_id == 0) { + wispr_portal_error(wp_context); ++ wispr_portal_context_unref(wp_context); ++ } + } + + static bool wispr_input(const guint8 **data, gsize *length, +@@ -594,13 +593,15 @@ static void wispr_portal_browser_reply_c + return; + + if (!authentication_done) { +- wispr_portal_error(wp_context); + free_wispr_routes(wp_context); ++ wispr_portal_error(wp_context); ++ wispr_portal_context_unref(wp_context); + return; + } + + /* Restarting the test */ + __connman_service_wispr_start(service, wp_context->type); ++ wispr_portal_context_unref(wp_context); + } + + static void wispr_portal_request_wispr_login(struct connman_service *service, +@@ -676,11 +677,13 @@ static bool wispr_manage_message(GWebRes + + wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN; + ++ wispr_portal_context_ref(wp_context); + if (__connman_agent_request_login_input(wp_context->service, + wispr_portal_request_wispr_login, +- wp_context) != -EINPROGRESS) ++ wp_context) != -EINPROGRESS) { + wispr_portal_error(wp_context); +- else ++ wispr_portal_context_unref(wp_context); ++ } else + return true; + + break; +@@ -729,6 +732,7 @@ static bool wispr_portal_web_result(GWeb + if (length > 0) { + g_web_parser_feed_data(wp_context->wispr_parser, + chunk, length); ++ wispr_portal_context_unref(wp_context); + return true; + } + +@@ -746,6 +750,7 @@ static bool wispr_portal_web_result(GWeb + + switch (status) { + case 000: ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->status_url, wp_context); +@@ -757,11 +762,14 @@ static bool wispr_portal_web_result(GWeb + if (g_web_result_get_header(result, "X-ConnMan-Status", + &str)) { + portal_manage_status(result, wp_context); ++ wispr_portal_context_unref(wp_context); + return false; +- } else ++ } else { ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->redirect_url, wp_context); ++ } + + break; + case 302: +@@ -769,6 +777,7 @@ static bool wispr_portal_web_result(GWeb + !g_web_result_get_header(result, "Location", + &redirect)) { + ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->status_url, wp_context); +@@ -779,6 +788,7 @@ static bool wispr_portal_web_result(GWeb + + wp_context->redirect_url = g_strdup(redirect); + ++ wispr_portal_context_ref(wp_context); + wp_context->request_id = g_web_request_get(wp_context->web, + redirect, wispr_portal_web_result, + wispr_route_request, wp_context); +@@ -795,6 +805,7 @@ static bool wispr_portal_web_result(GWeb + + break; + case 505: ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->status_url, wp_context); +@@ -807,6 +818,7 @@ static bool wispr_portal_web_result(GWeb + wp_context->request_id = 0; + done: + wp_context->wispr_msg.message_type = -1; ++ wispr_portal_context_unref(wp_context); + return false; + } + +@@ -841,6 +853,7 @@ static void proxy_callback(const char *p + xml_wispr_parser_callback, wp_context); + + wispr_portal_request_portal(wp_context); ++ wispr_portal_context_unref(wp_context); + } + + static gboolean no_proxy_callback(gpointer user_data)