From 5ed77d870e563df8560a40478204be5ea9db33e9 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 6 Oct 2014 16:27:44 +0300 Subject: Add os_exec() helper to run external programs Change-Id: I579af1fa8c2f85622ffddb186ba799dcb9ac4b6f Signed-off-by: Jouni Malinen --- src/utils/os.h | 9 +++++++++ src/utils/os_unix.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++ src/utils/os_win32.c | 5 +++++ 3 files changed, 68 insertions(+) diff --git a/src/utils/os.h b/src/utils/os.h index ad208341..aa040991 100644 --- a/src/utils/os.h +++ b/src/utils/os.h @@ -506,6 +506,15 @@ static inline void * os_realloc_array(void *ptr, size_t nmemb, size_t size) */ size_t os_strlcpy(char *dest, const char *src, size_t siz); +/** + * os_exec - Execute an external program + * @program: Path to the program + * @arg: Command line argument string + * @wait_completion: Whether to wait until the program execution completes + * Returns: 0 on success, -1 on error + */ +int os_exec(const char *program, const char *arg, int wait_completion); + #ifdef OS_REJECT_C_LIB_FUNCTIONS #define malloc OS_DO_NOT_USE_malloc diff --git a/src/utils/os_unix.c b/src/utils/os_unix.c index 10b9e0da..c1eec70f 100644 --- a/src/utils/os_unix.c +++ b/src/utils/os_unix.c @@ -9,6 +9,7 @@ #include "includes.h" #include +#include #ifdef ANDROID #include @@ -493,3 +494,56 @@ char * os_strdup(const char *s) } #endif /* WPA_TRACE */ + +int os_exec(const char *program, const char *arg, int wait_completion) +{ + pid_t pid; + int pid_status; + + pid = fork(); + if (pid < 0) { + perror("fork"); + return -1; + } + + if (pid == 0) { + /* run the external command in the child process */ + const int MAX_ARG = 30; + char *_program, *_arg, *pos; + char *argv[MAX_ARG + 1]; + int i; + + _program = os_strdup(program); + _arg = os_strdup(arg); + + argv[0] = _program; + + i = 1; + pos = _arg; + while (i < MAX_ARG && pos && *pos) { + while (*pos == ' ') + pos++; + if (*pos == '\0') + break; + argv[i++] = pos; + pos = os_strchr(pos, ' '); + if (pos) + *pos++ = '\0'; + } + argv[i] = NULL; + + execv(program, argv); + perror("execv"); + os_free(_program); + os_free(_arg); + exit(0); + return -1; + } + + if (wait_completion) { + /* wait for the child process to complete in the parent */ + waitpid(pid, &pid_status, 0); + } + + return 0; +} diff --git a/src/utils/os_win32.c b/src/utils/os_win32.c index 163cebef..eedc9411 100644 --- a/src/utils/os_win32.c +++ b/src/utils/os_win32.c @@ -233,3 +233,8 @@ size_t os_strlcpy(char *dest, const char *src, size_t siz) return s - src - 1; } + +int os_exec(const char *program, const char *arg, int wait_completion) +{ + return -1; +} -- cgit v1.2.3 From 8e575d91534fd8ad98b06caec872a056c7f2737c Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 6 Oct 2014 17:25:52 +0300 Subject: wpa_cli: Use os_exec() for action script execution Use os_exec() to run the action script operations to avoid undesired command line processing for control interface event strings. Previously, it could have been possible for some of the event strings to include unsanitized data which is not suitable for system() use. (CVE-2014-3686) Change-Id: I0005ed08e4b06ba3d2ebe95b9240050e47ed2e8c Signed-off-by: Jouni Malinen --- wpa_supplicant/wpa_cli.c | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c index a379d650..7a035239 100644 --- a/wpa_supplicant/wpa_cli.c +++ b/wpa_supplicant/wpa_cli.c @@ -3064,28 +3064,19 @@ static int str_match(const char *a, const char *b) static int wpa_cli_exec(const char *program, const char *arg1, const char *arg2) { - char *cmd; + char *arg; size_t len; int res; - int ret = 0; - len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3; - cmd = os_malloc(len); - if (cmd == NULL) - return -1; - res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2); - if (res < 0 || (size_t) res >= len) { - os_free(cmd); + len = os_strlen(arg1) + os_strlen(arg2) + 2; + arg = os_malloc(len); + if (arg == NULL) return -1; - } - cmd[len - 1] = '\0'; -#ifndef _WIN32_WCE - if (system(cmd) < 0) - ret = -1; -#endif /* _WIN32_WCE */ - os_free(cmd); + os_snprintf(arg, len, "%s %s", arg1, arg2); + res = os_exec(program, arg, 1); + os_free(arg); - return ret; + return res; } -- cgit v1.2.3 From b76a82e8f28a5c3f43958e0e1b3c26390725b040 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 6 Oct 2014 18:49:01 +0300 Subject: hostapd_cli: Use os_exec() for action script execution Use os_exec() to run the action script operations to avoid undesired command line processing for control interface event strings. Previously, it could have been possible for some of the event strings to include unsanitized data which is not suitable for system() use. (CVE-2014-3686) Change-Id: If46d6cfcb9d7fc9700965e818315e5aa50fa11a5 Signed-off-by: Jouni Malinen --- hostapd/hostapd_cli.c | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/hostapd/hostapd_cli.c b/hostapd/hostapd_cli.c index 7187abcf..4d73481e 100644 --- a/hostapd/hostapd_cli.c +++ b/hostapd/hostapd_cli.c @@ -225,28 +225,19 @@ static int hostapd_cli_cmd_mib(struct wpa_ctrl *ctrl, int argc, char *argv[]) static int hostapd_cli_exec(const char *program, const char *arg1, const char *arg2) { - char *cmd; + char *arg; size_t len; int res; - int ret = 0; - len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3; - cmd = os_malloc(len); - if (cmd == NULL) + len = os_strlen(arg1) + os_strlen(arg2) + 2; + arg = os_malloc(len); + if (arg == NULL) return -1; - res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2); - if (res < 0 || (size_t) res >= len) { - os_free(cmd); - return -1; - } - cmd[len - 1] = '\0'; -#ifndef _WIN32_WCE - if (system(cmd) < 0) - ret = -1; -#endif /* _WIN32_WCE */ - os_free(cmd); + os_snprintf(arg, len, "%s %s", arg1, arg2); + res = os_exec(program, arg, 1); + os_free(arg); - return ret; + return res; } -- cgit v1.2.3 From d16e18d1946ce59763cf99eb35d7102e0de07c10 Mon Sep 17 00:00:00 2001 From: Rashmi Ramanna Date: Mon, 20 Jan 2014 22:55:09 +0200 Subject: P2P: Extend the listen time based on the active concurrent session A P2P Device while in the Listen state waiting to respond for the obtained group negotiation request shall give a fair chance for other concurrent sessions to use the shared radio by inducing an idle time between the successive listen states. However, if there are no concurrent operations, this idle time can be reduced. CRs-Fixed: 606348 Git-commit: a2d63657603b8f0714274f34bea45cb5d0c0a7b9 Git-repo : git://w1.fi/srv/git/hostap.git Signed-hostap: Jouni Malinen Change-Id: Ifbc6b7687889055764ef462abb710ef9a6c580a8 --- wpa_supplicant/p2p_supplicant.c | 1 - 1 file changed, 1 deletion(-) diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c index e339d0e6..a41b3d86 100644 --- a/wpa_supplicant/p2p_supplicant.c +++ b/wpa_supplicant/p2p_supplicant.c @@ -3376,7 +3376,6 @@ int wpas_p2p_init(struct wpa_global *global, struct wpa_supplicant *wpa_s) p2p.get_noa = wpas_get_noa; p2p.go_connected = wpas_go_connected; p2p.is_concurrent_session_active = wpas_is_concurrent_session_active; - p2p.is_p2p_in_progress = _wpas_p2p_in_progress; os_memcpy(wpa_s->global->p2p_dev_addr, wpa_s->own_addr, ETH_ALEN); os_memcpy(p2p.dev_addr, wpa_s->global->p2p_dev_addr, ETH_ALEN); -- cgit v1.2.3 From 34633459ab748a7e12224e47c30d673ac74b97c3 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 19 May 2014 23:25:38 +0300 Subject: X.509: Fix internal TLS/X.509 validation of PKCS#1 signature Verify that there is no extra data after the hash field. This is needed to avoid potential attacks using additional data to construct a value that passes the RSA operation and allows the hash value to be forged. CRs-Fixed: 654804 Change-Id: Iee0a8de08fd0f7d66b3bfd0c4396637d9b70e92f Git-commit: 9c29d48725fd40a82407a89f193cf009aeef9745 Git-repo : git://w1.fi/srv/git/hostap.git Signed-off-by: Jouni Malinen --- src/tls/x509v3.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c index 9b498292..7e79420f 100644 --- a/src/tls/x509v3.c +++ b/src/tls/x509v3.c @@ -1790,6 +1790,15 @@ skip_digest_oid: return -1; } + if (hdr.payload + hdr.length < data + data_len) { + wpa_hexdump(MSG_INFO, + "X509: Extra data after certificate signature hash", + hdr.payload + hdr.length, + data + data_len - hdr.payload - hdr.length); + os_free(data); + return -1; + } + os_free(data); wpa_printf(MSG_DEBUG, "X509: Certificate Digest matches with " -- cgit v1.2.3 From 699897d2b0cdc8ff3e4cfcbb1b640135825af924 Mon Sep 17 00:00:00 2001 From: Avraham Stern Date: Thu, 27 Mar 2014 08:58:30 +0200 Subject: P2P: Fix segfault when PBC overlap is detected If a separate P2P group interface is used, PBC overlap during group formation causes the group interface to be removed, which ends up with the interface context becoming invalid. Fix this by scheduling a timeout to process the PBC overlap and interface removal instead of removing the interface directly before the connection operation has returned. Signed-off-by: Avraham Stern Git-commit: ace0fbdb69b492a3aa6f24d07f0d6d4dffc4b7dc Git-repo : git://w1.fi/srv/git/hostap.git Change-Id: Iee452eb1ea731c7e216e0ec25a7c7235756589ac CRs-fixed: 670339 --- wpa_supplicant/events.c | 6 +++++- wpa_supplicant/p2p_supplicant.c | 7 +++++++ wpa_supplicant/p2p_supplicant.h | 1 + wpa_supplicant/wps_supplicant.c | 11 +---------- 4 files changed, 14 insertions(+), 11 deletions(-) diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index cfeb8e8e..eb8e7c5b 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -974,8 +974,12 @@ int wpa_supplicant_connect(struct wpa_supplicant *wpa_s, wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_OVERLAP "PBC session overlap"); #ifdef CONFIG_P2P - if (wpas_p2p_notif_pbc_overlap(wpa_s) == 1) + if (wpa_s->p2p_group_interface == P2P_GROUP_INTERFACE_CLIENT || + wpa_s->p2p_in_provisioning) { + eloop_register_timeout(0, 0, wpas_p2p_pbc_overlap_cb, + wpa_s, NULL); return -1; + } #endif /* CONFIG_P2P */ #ifdef CONFIG_WPS diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c index a41b3d86..dddd4316 100644 --- a/wpa_supplicant/p2p_supplicant.c +++ b/wpa_supplicant/p2p_supplicant.c @@ -5891,6 +5891,13 @@ int wpas_p2p_notif_pbc_overlap(struct wpa_supplicant *wpa_s) } +void wpas_p2p_pbc_overlap_cb(void *eloop_ctx, void *timeout_ctx) +{ + struct wpa_supplicant *wpa_s = eloop_ctx; + wpas_p2p_notif_pbc_overlap(wpa_s); +} + + void wpas_p2p_update_channel_list(struct wpa_supplicant *wpa_s) { struct p2p_channels chan; diff --git a/wpa_supplicant/p2p_supplicant.h b/wpa_supplicant/p2p_supplicant.h index 64c5857c..e558edd9 100644 --- a/wpa_supplicant/p2p_supplicant.h +++ b/wpa_supplicant/p2p_supplicant.h @@ -162,6 +162,7 @@ void wpas_p2p_new_psk_cb(struct wpa_supplicant *wpa_s, const u8 *mac_addr, const u8 *psk, size_t psk_len); void wpas_p2p_remove_client(struct wpa_supplicant *wpa_s, const u8 *peer, int iface_addr); +void wpas_p2p_pbc_overlap_cb(void *eloop_ctx, void *timeout_ctx); #ifdef CONFIG_P2P void wpas_p2p_continue_after_scan(struct wpa_supplicant *wpa_s); diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c index fca69254..12ebd234 100644 --- a/wpa_supplicant/wps_supplicant.c +++ b/wpa_supplicant/wps_supplicant.c @@ -508,15 +508,6 @@ static int wpa_supplicant_wps_cred(void *ctx, } -#ifdef CONFIG_P2P -static void wpas_wps_pbc_overlap_cb(void *eloop_ctx, void *timeout_ctx) -{ - struct wpa_supplicant *wpa_s = eloop_ctx; - wpas_p2p_notif_pbc_overlap(wpa_s); -} -#endif /* CONFIG_P2P */ - - static void wpa_supplicant_wps_event_m2d(struct wpa_supplicant *wpa_s, struct wps_event_m2d *m2d) { @@ -535,7 +526,7 @@ static void wpa_supplicant_wps_event_m2d(struct wpa_supplicant *wpa_s, * Notify P2P from eloop timeout to avoid issues with the * interface getting removed while processing a message. */ - eloop_register_timeout(0, 0, wpas_wps_pbc_overlap_cb, wpa_s, + eloop_register_timeout(0, 0, wpas_p2p_pbc_overlap_cb, wpa_s, NULL); } #endif /* CONFIG_P2P */ -- cgit v1.2.3