diff options
| author | Jouni Malinen <jouni@qca.qualcomm.com> | 2016-04-05 23:33:10 +0300 |
|---|---|---|
| committer | Adrian DC <radian.dc@gmail.com> | 2016-12-03 15:52:45 +0100 |
| commit | 172a4e04241e67b7454ac264d771df557b1b2574 (patch) | |
| tree | 400a56a22b4ad338898416c00152ff47d56ffd10 | |
| parent | aeb2113b1d7e30ebf8ab157836c9e116cfa6b1b9 (diff) | |
| download | android_external_wpa_supplicant_8-172a4e04241e67b7454ac264d771df557b1b2574.tar.gz android_external_wpa_supplicant_8-172a4e04241e67b7454ac264d771df557b1b2574.tar.bz2 android_external_wpa_supplicant_8-172a4e04241e67b7454ac264d771df557b1b2574.zip | |
Reject SET_CRED commands with newline characters in the string values
Most of the cred block parameters are written as strings without
filtering and if there is an embedded newline character in the value,
unexpected configuration file data might be written.
This fixes an issue where wpa_supplicant could have updated the
configuration file cred parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the credential value before passing it to
wpa_supplicant.
This could allow such an untrusted user to inject almost arbitrary data
into the configuration file. Such configuration file could result in
wpa_supplicant trying to load a library (e.g., opensc_engine_path,
pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
controlled location when starting again. This would allow code from that
library to be executed under the wpa_supplicant process privileges
RM-290
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Git-commit: b166cd84a77a6717be9600bf95378a0055d6f5a5
Git-repo: git://w1.fi/srv/git/hostap.git
Change-Id: Ib8222446297317f4e57bdb49597fdf6d19554886
CRs-fixed: 1007548
| -rw-r--r-- | wpa_supplicant/config.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 5da6224d..3403ecb8 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -2809,6 +2809,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var, if (os_strcmp(var, "password") == 0 && os_strncmp(value, "ext:", 4) == 0) { + if (has_newline(value)) + return -1; str_clear_free(cred->password); cred->password = os_strdup(value); cred->ext_password = 1; @@ -2859,9 +2861,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var, } val = wpa_config_parse_string(value, &len); - if (val == NULL) { + if (val == NULL || + (os_strcmp(var, "excluded_ssid") != 0 && + os_strcmp(var, "roaming_consortium") != 0 && + os_strcmp(var, "required_roaming_consortium") != 0 && + has_newline(val))) { wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string " "value '%s'.", line, var, value); + os_free(val); return -1; } |