From f76c5dfa556f351a8ab78e32b54ff5db5498ee25 Mon Sep 17 00:00:00 2001 From: Jin-Seong Kim Date: Thu, 12 Oct 2017 16:49:00 +0900 Subject: [PATCH] wpa_supplicant : PSK configuration parameter update allowing arbitrary data to be written This commit is patch for mitigation security vulnerability on wpa_supplicant - https://w1.fi/security/2016-1/ Reject SET_CRED commands with newline characters in the string values Most of the cred block parameters are written as strings without filtering and if there is an embedded newline character in the value, unexpected configuration file data might be written. This fixes an issue where wpa_supplicant could have updated the configuration file cred parameter with arbitrary data from the control interface or D-Bus interface. While those interfaces are supposed to be accessible only for trusted users/applications, it may be possible that an untrusted user has access to a management software component that does not validate the credential value before passing it to wpa_supplicant. This could allow such an untrusted user to inject almost arbitrary data into the configuration file. Such configuration file could result in wpa_supplicant trying to load a library (e.g., opensc_engine_path, pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user controlled location when starting again. This would allow code from that library to be executed under the wpa_supplicant process privileges. Change-Id: I41f6fed02ed00b0031b25a7e629094509d753675 Signed-off-by: Jin-Seong Kim --- external/wpa_supplicant/wpa_supplicant/config.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/external/wpa_supplicant/wpa_supplicant/config.c b/external/wpa_supplicant/wpa_supplicant/config.c index 905d840..5731825 100644 --- a/external/wpa_supplicant/wpa_supplicant/config.c +++ b/external/wpa_supplicant/wpa_supplicant/config.c @@ -2623,6 +2623,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var, const char *valu } if (os_strcmp(var, "password") == 0 && os_strncmp(value, "ext:", 4) == 0) { + if (has_newline(value)) + return -1; str_clear_free(cred->password); cred->password = os_strdup(value); cred->ext_password = 1; @@ -2674,8 +2676,13 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var, const char *valu } val = wpa_config_parse_string(value, &len); - if (val == NULL) { + if (val == NULL || + (os_strcmp(var, "excluded_ssid") != 0 && + os_strcmp(var, "roaming_consortium") != 0 && + os_strcmp(var, "required_roaming_consortium") != 0 && + has_newline(val))) { wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string " "value '%s'.", line, var, value); + os_free(val); return -1; } -- 2.7.4