diff options
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch')
| -rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch new file mode 100644 index 0000000000..cad7425c36 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch | |||
| @@ -0,0 +1,66 @@ | |||
| 1 | From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jouni Malinen <jouni@qca.qualcomm.com> | ||
| 3 | Date: Tue, 5 Apr 2016 23:33:10 +0300 | ||
| 4 | Subject: [PATCH 2/3] Reject SET_CRED commands with newline characters in the | ||
| 5 | string values | ||
| 6 | |||
| 7 | Most of the cred block parameters are written as strings without | ||
| 8 | filtering and if there is an embedded newline character in the value, | ||
| 9 | unexpected configuration file data might be written. | ||
| 10 | |||
| 11 | This fixes an issue where wpa_supplicant could have updated the | ||
| 12 | configuration file cred parameter with arbitrary data from the control | ||
| 13 | interface or D-Bus interface. While those interfaces are supposed to be | ||
| 14 | accessible only for trusted users/applications, it may be possible that | ||
| 15 | an untrusted user has access to a management software component that | ||
| 16 | does not validate the credential value before passing it to | ||
| 17 | wpa_supplicant. | ||
| 18 | |||
| 19 | This could allow such an untrusted user to inject almost arbitrary data | ||
| 20 | into the configuration file. Such configuration file could result in | ||
| 21 | wpa_supplicant trying to load a library (e.g., opensc_engine_path, | ||
| 22 | pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user | ||
| 23 | controlled location when starting again. This would allow code from that | ||
| 24 | library to be executed under the wpa_supplicant process privileges. | ||
| 25 | |||
| 26 | Upstream-Status: Backport | ||
| 27 | |||
| 28 | CVE: CVE-2016-4477 | ||
| 29 | |||
| 30 | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> | ||
| 31 | Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com> | ||
| 32 | --- | ||
| 33 | wpa_supplicant/config.c | 9 ++++++++- | ||
| 34 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
| 35 | |||
| 36 | diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c | ||
| 37 | index eb97cd5..69152ef 100644 | ||
| 38 | --- a/wpa_supplicant/config.c | ||
| 39 | +++ b/wpa_supplicant/config.c | ||
| 40 | @@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var, | ||
| 41 | |||
| 42 | if (os_strcmp(var, "password") == 0 && | ||
| 43 | os_strncmp(value, "ext:", 4) == 0) { | ||
| 44 | + if (has_newline(value)) | ||
| 45 | + return -1; | ||
| 46 | str_clear_free(cred->password); | ||
| 47 | cred->password = os_strdup(value); | ||
| 48 | cred->ext_password = 1; | ||
| 49 | @@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var, | ||
| 50 | } | ||
| 51 | |||
| 52 | val = wpa_config_parse_string(value, &len); | ||
| 53 | - if (val == NULL) { | ||
| 54 | + if (val == NULL || | ||
| 55 | + (os_strcmp(var, "excluded_ssid") != 0 && | ||
| 56 | + os_strcmp(var, "roaming_consortium") != 0 && | ||
| 57 | + os_strcmp(var, "required_roaming_consortium") != 0 && | ||
| 58 | + has_newline(val))) { | ||
| 59 | wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string " | ||
| 60 | "value '%s'.", line, var, value); | ||
| 61 | + os_free(val); | ||
| 62 | return -1; | ||
| 63 | } | ||
| 64 | |||
| 65 | -- | ||
| 66 | 1.9.1 | ||