aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2016-04-05 23:55:48 +0300
committerSravanthi Palakonda <srapal@codeaurora.org>2016-05-30 15:00:59 +0530
commitfb5e6a596d166a190e33c9bd003878c09db131d9 (patch)
tree8cb917031d6d6135cf3c8818b742e5cce70df06f
parentbff2b00256dd3f679a4d53067c0bedc3b3f61573 (diff)
downloadandroid_external_wpa_supplicant_8-fb5e6a596d166a190e33c9bd003878c09db131d9.tar.gz
android_external_wpa_supplicant_8-fb5e6a596d166a190e33c9bd003878c09db131d9.tar.bz2
android_external_wpa_supplicant_8-fb5e6a596d166a190e33c9bd003878c09db131d9.zip
Reject SET commands with newline characters in the string values
Many of the global configuration parameters are written as strings without filtering and if there is an embedded newline character in the value, unexpected configuration file data might be written. This fixes an issue where wpa_supplicant could have updated the configuration file global parameter with arbitrary data from the control interface or D-Bus interface. While those interfaces are supposed to be accessible only for trusted users/applications, it may be possible that an untrusted user has access to a management software component that does not validate the value of a parameter before passing it to wpa_supplicant. This could allow such an untrusted user to inject almost arbitrary data into the configuration file. Such configuration file could result in wpa_supplicant trying to load a library (e.g., opensc_engine_path, pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user controlled location when starting again. This would allow code from that library to be executed under the wpa_supplicant process privileges Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Git-commit: 2a3f56502b52375c3bf113cf92adfa99bad6b488 Git-repo: git://w1.fi/srv/git/hostap.git Change-Id: Ibb1eeb6b727c27ecc4a2efce57f5394e98051061 CRs-fixed: 1007548
-rw-r--r--wpa_supplicant/config.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 631c39c9..3455fc0e 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -3670,6 +3670,12 @@ static int wpa_global_config_parse_str(const struct global_parse_data *data,
return -1;
}
+ if (has_newline(pos)) {
+ wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
+ line, data->name);
+ return -1;
+ }
+
tmp = os_strdup(pos);
if (tmp == NULL)
return -1;