From: Jaehyun Kim <jeik01.kim@samsung.com>
Date: Tue, 30 Jul 2024 07:37:37 +0000 (+0900)
Subject: Fix path traversal
X-Git-Tag: accepted/tizen/9.0/unified/20241030.233947~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=cd76f4a2729d972aa0474676ae39471f13598dce;p=platform%2Fcore%2Fconnectivity%2Fnet-config.git

Fix path traversal

Fix security vulnerabilities.
  - Prevent buffer overflow when fetching ifname
  - Path traversal issue in wifi_config_get_group_name() function

Change-Id: Ie614fb5d92373eb379eb851b266e8744136ce083
Signed-off-by: Jaehyun Kim <jeik01.kim@samsung.com>
---

diff --git a/include/wifi-config.h b/include/wifi-config.h
index df03cb9..7dc1ba3 100755
--- a/include/wifi-config.h
+++ b/include/wifi-config.h
@@ -64,6 +64,12 @@ extern "C" {
 #define WIFI_MAC_ADDR_LENGTH	17
 #define WIFI_MAC_ADDR_PATH		"/sys/class/net/%s/address"
 
+#define WIFI_CONFIG_PREFIX      "wifi_"
+#define MAC_ADDRESS_LENGTH		12
+#define WIFI_PREFIX_LENGTH		MAC_ADDRESS_LENGTH + 6	/* wifi_485a3f2f506a_ */
+#define PROFILE_PREFIX_LENGTH	WIFI_PREFIX_LENGTH + 21	/* /net/connman/service/wifi_485a3f2f506a_ */
+#define WIFI_CONFIG_ID_LENGTH	82 /* SSID(in hex) + "_managed_ieee8021x"  */
+
 /**
  * This enumeration is used in frame id value in vsie method calls
  */
diff --git a/src/network-state.c b/src/network-state.c
index b4bda04..d071d63 100755
--- a/src/network-state.c
+++ b/src/network-state.c
@@ -34,6 +34,7 @@
 #include "netdbus.h"
 #include "neterror.h"
 #include "emulator.h"
+#include "wifi-config.h"
 #include "wifi-state.h"
 #include "wifi-power.h"
 #include "network-state.h"
@@ -1309,6 +1310,11 @@ const char *netconfig_get_ifname(const char *profile)
 	const char *ifname = NULL;
 	char *mac_addr = NULL;
 
+	if (strlen(profile) <= PROFILE_PREFIX_LENGTH) {
+		ERR("Invalid profile");
+		return NULL;
+	}
+
 	mac_addr = __netconfig_get_mac_address(profile);
 	ifname = wifi_state_get_interface_name(mac_addr);
 
diff --git a/src/wifi-config.c b/src/wifi-config.c
index 5b831e9..88cda23 100755
--- a/src/wifi-config.c
+++ b/src/wifi-config.c
@@ -49,12 +49,6 @@
 #define WIFI_SECURITY_EAP		"ieee8021x"
 #define WIFI_SECURITY_SAE		"sae"
 
-#define WIFI_CONFIG_PREFIX      "wifi_"
-#define MAC_ADDRESS_LENGTH		12
-#define WIFI_PREFIX_LENGTH		MAC_ADDRESS_LENGTH + 6	/* wifi_485a3f2f506a_ */
-#define PROFILE_PREFIX_LENGTH	WIFI_PREFIX_LENGTH + 21	/* /net/connman/service/wifi_485a3f2f506a_ */
-#define WIFI_CONFIG_ID_LENGTH	82 /* SSID(in hex) + "_managed_ieee8021x"  */
-
 #define	NET_DNS_ADDR_MAX		2
 
 #define MAX_WIFI_PROFILES		200
@@ -205,6 +199,11 @@ gboolean wifi_config_get_group_name(const gchar *prefix,
 	gchar *g_name = NULL;
 	gboolean ret = FALSE;
 
+	if (__netconfig_is_valid_config_id(config_id) == FALSE) {
+		ERR("Invalid config_id [%s]", config_id);
+		return FALSE;
+	}
+
 	ret = __get_mac_address(interface_name, &mac_address);
 	if ((ret != TRUE) || (strlen(mac_address) == 0)) {
 		ERR("Cannot get WIFI MAC address");