66 lines
2.5 KiB
Diff
66 lines
2.5 KiB
Diff
|
From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
|
||
|
From: Jouni Malinen <jouni@qca.qualcomm.com>
|
||
|
Date: Tue, 5 Apr 2016 23:33:10 +0300
|
||
|
Subject: [PATCH] Reject SET_CRED commands with newline characters in the
|
||
|
string values
|
||
|
|
||
|
Most of the cred block parameters are written as strings without
|
||
|
filtering and if there is an embedded newline character in the value,
|
||
|
unexpected configuration file data might be written.
|
||
|
|
||
|
This fixes an issue where wpa_supplicant could have updated the
|
||
|
configuration file cred parameter with arbitrary data from the control
|
||
|
interface or D-Bus interface. While those interfaces are supposed to be
|
||
|
accessible only for trusted users/applications, it may be possible that
|
||
|
an untrusted user has access to a management software component that
|
||
|
does not validate the credential value before passing it to
|
||
|
wpa_supplicant.
|
||
|
|
||
|
This could allow such an untrusted user to inject almost arbitrary data
|
||
|
into the configuration file. Such configuration file could result in
|
||
|
wpa_supplicant trying to load a library (e.g., opensc_engine_path,
|
||
|
pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
|
||
|
controlled location when starting again. This would allow code from that
|
||
|
library to be executed under the wpa_supplicant process privileges.
|
||
|
|
||
|
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
||
|
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
||
|
---
|
||
|
Patch status: upstream (b166cd84a77a6717be9600bf95378a0055d6f5a5)
|
||
|
|
||
|
wpa_supplicant/config.c | 9 ++++++++-
|
||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
|
||
|
index eb97cd5e4e6e..69152efdea1a 100644
|
||
|
--- a/wpa_supplicant/config.c
|
||
|
+++ b/wpa_supplicant/config.c
|
||
|
@@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
|
||
|
|
||
|
if (os_strcmp(var, "password") == 0 &&
|
||
|
os_strncmp(value, "ext:", 4) == 0) {
|
||
|
+ if (has_newline(value))
|
||
|
+ return -1;
|
||
|
str_clear_free(cred->password);
|
||
|
cred->password = os_strdup(value);
|
||
|
cred->ext_password = 1;
|
||
|
@@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
|
||
|
}
|
||
|
|
||
|
val = wpa_config_parse_string(value, &len);
|
||
|
- if (val == NULL) {
|
||
|
+ if (val == NULL ||
|
||
|
+ (os_strcmp(var, "excluded_ssid") != 0 &&
|
||
|
+ os_strcmp(var, "roaming_consortium") != 0 &&
|
||
|
+ os_strcmp(var, "required_roaming_consortium") != 0 &&
|
||
|
+ has_newline(val))) {
|
||
|
wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
|
||
|
"value '%s'.", line, var, value);
|
||
|
+ os_free(val);
|
||
|
return -1;
|
||
|
}
|
||
|
|
||
|
--
|
||
|
2.8.1
|
||
|
|