diff options
| author | Jouni Malinen <jouni@qca.qualcomm.com> | 2014-10-06 17:25:52 +0300 |
|---|---|---|
| committer | Dan Pasanen <dan.pasanen@gmail.com> | 2014-10-09 15:01:46 -0500 |
| commit | 8e575d91534fd8ad98b06caec872a056c7f2737c (patch) | |
| tree | 3ac5f85eba04677e83387d25ea5a1d15361952c4 | |
| parent | 5ed77d870e563df8560a40478204be5ea9db33e9 (diff) | |
| download | android_external_wpa_supplicant_8-8e575d91534fd8ad98b06caec872a056c7f2737c.tar.gz android_external_wpa_supplicant_8-8e575d91534fd8ad98b06caec872a056c7f2737c.tar.bz2 android_external_wpa_supplicant_8-8e575d91534fd8ad98b06caec872a056c7f2737c.zip | |
wpa_cli: Use os_exec() for action script execution
Use os_exec() to run the action script operations to avoid undesired
command line processing for control interface event strings. Previously,
it could have been possible for some of the event strings to include
unsanitized data which is not suitable for system() use. (CVE-2014-3686)
Change-Id: I0005ed08e4b06ba3d2ebe95b9240050e47ed2e8c
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
| -rw-r--r-- | wpa_supplicant/wpa_cli.c | 25 |
1 files changed, 8 insertions, 17 deletions
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c index a379d650..7a035239 100644 --- a/wpa_supplicant/wpa_cli.c +++ b/wpa_supplicant/wpa_cli.c @@ -3064,28 +3064,19 @@ static int str_match(const char *a, const char *b) static int wpa_cli_exec(const char *program, const char *arg1, const char *arg2) { - char *cmd; + char *arg; size_t len; int res; - int ret = 0; - len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3; - cmd = os_malloc(len); - if (cmd == NULL) - return -1; - res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2); - if (res < 0 || (size_t) res >= len) { - os_free(cmd); + len = os_strlen(arg1) + os_strlen(arg2) + 2; + arg = os_malloc(len); + if (arg == NULL) return -1; - } - cmd[len - 1] = '\0'; -#ifndef _WIN32_WCE - if (system(cmd) < 0) - ret = -1; -#endif /* _WIN32_WCE */ - os_free(cmd); + os_snprintf(arg, len, "%s %s", arg1, arg2); + res = os_exec(program, arg, 1); + os_free(arg); - return ret; + return res; } |