From: Jaehyun Kim <jeik01.kim@samsung.com>
Date: Thu, 11 Apr 2024 08:34:42 +0000 (+0900)
Subject: Fix Stack buffer overflow and Path traversal
X-Git-Tag: accepted/tizen/unified/20240930.043759~5
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=4abce65c4599aff20d56655a8be1747d1e360171;p=platform%2Fcore%2Fconnectivity%2Fnet-config.git

Fix Stack buffer overflow and Path traversal

Fix security vulnerabilities.
  - Stack buffer overflow issue in __netconfig_trigger_netlink_scan
  - Path traversal issue in DeleteEapConfig method
  - Path traversal issue in CreateEapConfig method

Change-Id: I76ef04f98cdb28926901899f511c80e6162f89ad
Signed-off-by: Jaehyun Kim <jeik01.kim@samsung.com>
---

diff --git a/include/wifi-config.h b/include/wifi-config.h
index 4f674f6..df03cb9 100755
--- a/include/wifi-config.h
+++ b/include/wifi-config.h
@@ -86,6 +86,7 @@ gboolean wifi_config_get_group_name(const gchar *prefix,
 int __netconfig_hex_str_to_bin(const char *hex, unsigned char *buf, size_t len);
 int __netconfig_hex_to_byte(const char *hex);
 int __netconfig_hex_char_to_num(char c);
+gboolean __netconfig_is_valid_config_id(const gchar *config_id);
 
 gboolean handle_get_config_ids(Wifi *wifi, GDBusMethodInvocation *context,
 			const gchar *ifname);
diff --git a/src/wifi-config.c b/src/wifi-config.c
index e586835..3ceb2b6 100755
--- a/src/wifi-config.c
+++ b/src/wifi-config.c
@@ -1221,7 +1221,7 @@ static unsigned char __netconfig_convert_netmask_to_prefixlen(
 	return bits;
 }
 
-static gboolean __netconfig_is_valid_config_id(const gchar *config_id)
+gboolean __netconfig_is_valid_config_id(const gchar *config_id)
 {
 	int length;
 
@@ -1233,9 +1233,7 @@ static gboolean __netconfig_is_valid_config_id(const gchar *config_id)
 		return FALSE;
 
 	for (int i = 0; i < length; i++) {
-		if (!(islower(config_id[i])) &&
-				!(isdigit(config_id[i])) &&
-				config_id[i] != '_')
+		if (!(isxdigit(config_id[i])) && config_id[i] != '_')
 			return FALSE;
 	}
 
diff --git a/src/wifi-eap-config.c b/src/wifi-eap-config.c
index 1791ecf..e92f8ca 100755
--- a/src/wifi-eap-config.c
+++ b/src/wifi-eap-config.c
@@ -21,6 +21,7 @@
 #include <stdio.h>
 #include <unistd.h>
 #include <sys/stat.h>
+#include <ctype.h>
 
 #include "log.h"
 #include "util.h"
@@ -45,6 +46,25 @@
 #define CONNMAN_CONFIG_FIELD_PVT_KEY_PASSPHRASE		"PrivateKeyPassphrase"
 #define CONNMAN_CONFIG_FIELD_KEYMGMT_TYPE			"KeymgmtType"
 
+static gboolean __netconfig_is_valid_hex(const gchar *str)
+{
+	int length;
+
+	if (!str)
+		return FALSE;
+
+	length = strlen(str);
+	if (length < 1)
+		return FALSE;
+
+	for (int i = 0; i < length; i++) {
+		if (!(isxdigit(str[i])))
+			return FALSE;
+	}
+
+	return TRUE;
+}
+
 static char *__get_encoded_ssid(const char *name)
 {
 	char *str = NULL;
@@ -251,7 +271,7 @@ static gboolean __netconfig_create_config(const char *profile, GVariant *fields)
 		}
 	}
 
-	if (encoded_ssid == NULL) {
+	if (__netconfig_is_valid_hex(encoded_ssid) == FALSE) {
 		ERR("Failed to fetch SSID");
 		goto out;
 	}
@@ -259,6 +279,11 @@ static gboolean __netconfig_create_config(const char *profile, GVariant *fields)
 	memcpy(mac_str, &profile[strlen(CONNMAN_WIFI_SERVICE_PROFILE_PREFIX)], 12);
 	mac_str[12] = '\0';
 
+	if (__netconfig_is_valid_hex(mac_str) == FALSE) {
+		ERR("Failed to fetch mac_str");
+		goto out;
+	}
+
 	/* Create unique service group name */
 	group_name = g_strdup_printf("service_%s", encoded_ssid);
 	if (group_name == NULL) {
@@ -278,7 +303,7 @@ static gboolean __netconfig_create_config(const char *profile, GVariant *fields)
 	while (g_variant_iter_loop(iter, "{ss}", &field, &value)) {
 		if (g_strcmp0(field, CONNMAN_CONFIG_FIELD_SSID) == 0 ||
 				g_strcmp0(field, CONNMAN_CONFIG_FIELD_EAP_METHOD) == 0 ||
-				g_strcmp0(field, CONNMAN_CONFIG_FIELD_PHASE2) ||
+				g_strcmp0(field, CONNMAN_CONFIG_FIELD_PHASE2) == 0 ||
 				g_strcmp0(field, CONNMAN_CONFIG_FIELD_KEYMGMT_TYPE) == 0) {
 			if (value != NULL)
 				g_key_file_set_string(keyfile, group_name, field, value);
@@ -375,6 +400,12 @@ static gboolean _delete_configuration(const char *interface_name, const char *pr
 	}
 	ERR("get config_id [%s] from [%s]", config_id, profile);
 
+	if (__netconfig_is_valid_config_id(config_id) == FALSE) {
+		ERR("Invalid config_id [%s]", config_id);
+		g_free(config_id);
+		return ret;
+	}
+
 	ret = wifi_config_remove_configuration(interface_name, config_id);
 	if (ret != TRUE)
 		ERR("Fail to wifi_config_remove_configuration [%s]", config_id);
diff --git a/src/wifi-netlink-scan.c b/src/wifi-netlink-scan.c
index 9f4cfd6..b4eb6e3 100755
--- a/src/wifi-netlink-scan.c
+++ b/src/wifi-netlink-scan.c
@@ -704,7 +704,8 @@ static int __netconfig_trigger_netlink_scan(struct nl_sock *socket,
 		int vsie_len = strlen(vsie);
 		DBG("vsie: %s vsie_len: %d", vsie, vsie_len);
 		ies_len = (vsie_len % 2) ? ((vsie_len / 2) + 1) : (vsie_len / 2);
-		__netconfig_hex_str_to_bin(vsie, ies, ies_len);
+		if (NETCONFIG_MAX_VSIE_LEN >= ies_len)
+			__netconfig_hex_str_to_bin(vsie, ies, ies_len);
 	}
 
 	if (ies[0] == NETCONFIG_VENDOR_SPECIFIC_ID && ies[1] >= 4) {