package/wpa_supplicant/0011-Reject-SET_CRED-commands-with-newline-characters-in-.patch - github/buildroot/buildroot - Gitiles

 From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <jouni@qca.qualcomm.com>
 Date: Tue, 5 Apr 2016 23:33:10 +0300
 Subject: [PATCH] Reject SET_CRED commands with newline characters in the
  string values

 Most of the cred block parameters are written as strings without
 filtering and if there is an embedded newline character in the value,
 unexpected configuration file data might be written.

 This fixes an issue where wpa_supplicant could have updated the
 configuration file cred parameter with arbitrary data from the control
 interface or D-Bus interface. While those interfaces are supposed to be
 accessible only for trusted users/applications, it may be possible that
 an untrusted user has access to a management software component that
 does not validate the credential value before passing it to
 wpa_supplicant.

 This could allow such an untrusted user to inject almost arbitrary data
 into the configuration file. Such configuration file could result in
 wpa_supplicant trying to load a library (e.g., opensc_engine_path,
 pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
 controlled location when starting again. This would allow code from that
 library to be executed under the wpa_supplicant process privileges.

 Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
 Signed-off-by: Baruch Siach <baruch@tkos.co.il>
 ---
 Patch status: upstream (b166cd84a77a6717be9600bf95378a0055d6f5a5)

  wpa_supplicant/config.c | 9 ++++++++-
  1 file changed, 8 insertions(+), 1 deletion(-)

 diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
 index eb97cd5e4e6e..69152efdea1a 100644
 --- a/wpa_supplicant/config.c
 +++ b/wpa_supplicant/config.c
 @@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,

  	if (os_strcmp(var, "password") == 0 &&
  	    os_strncmp(value, "ext:", 4) == 0) {
 +		if (has_newline(value))
 +			return -1;
  		str_clear_free(cred->password);
  		cred->password = os_strdup(value);
  		cred->ext_password = 1;
 @@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
  	}

  	val = wpa_config_parse_string(value, &len);
 -	if (val == NULL) {
 +	if (val == NULL ||
 +	    (os_strcmp(var, "excluded_ssid") != 0 &&
 +	     os_strcmp(var, "roaming_consortium") != 0 &&
 +	     os_strcmp(var, "required_roaming_consortium") != 0 &&
 +	     has_newline(val))) {
  		wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
  			   "value '%s'.", line, var, value);
 +		os_free(val);
  		return -1;
  	}

 --
 2.8.1
	From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
	From: Jouni Malinen <jouni@qca.qualcomm.com>
	Date: Tue, 5 Apr 2016 23:33:10 +0300
	Subject: [PATCH] Reject SET_CRED commands with newline characters in the
	string values

	Most of the cred block parameters are written as strings without
	filtering and if there is an embedded newline character in the value,
	unexpected configuration file data might be written.

	This fixes an issue where wpa_supplicant could have updated the
	configuration file cred parameter with arbitrary data from the control
	interface or D-Bus interface. While those interfaces are supposed to be
	accessible only for trusted users/applications, it may be possible that
	an untrusted user has access to a management software component that
	does not validate the credential value before passing it to
	wpa_supplicant.

	This could allow such an untrusted user to inject almost arbitrary data
	into the configuration file. Such configuration file could result in
	wpa_supplicant trying to load a library (e.g., opensc_engine_path,
	pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
	controlled location when starting again. This would allow code from that
	library to be executed under the wpa_supplicant process privileges.

	Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
	Signed-off-by: Baruch Siach <baruch@tkos.co.il>
	---
	Patch status: upstream (b166cd84a77a6717be9600bf95378a0055d6f5a5)

	wpa_supplicant/config.c \| 9 ++++++++-
	1 file changed, 8 insertions(+), 1 deletion(-)

	diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
	index eb97cd5e4e6e..69152efdea1a 100644
	--- a/wpa_supplicant/config.c
	+++ b/wpa_supplicant/config.c
	@@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred cred, const char var,

	if (os_strcmp(var, "password") == 0 &&
	os_strncmp(value, "ext:", 4) == 0) {
	+ if (has_newline(value))
	+ return -1;
	str_clear_free(cred->password);
	cred->password = os_strdup(value);
	cred->ext_password = 1;
	@@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred cred, const char var,
	}

	val = wpa_config_parse_string(value, &len);
	- if (val == NULL) {
	+ if (val == NULL \|\|
	+ (os_strcmp(var, "excluded_ssid") != 0 &&
	+ os_strcmp(var, "roaming_consortium") != 0 &&
	+ os_strcmp(var, "required_roaming_consortium") != 0 &&
	+ has_newline(val))) {
	wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
	"value '%s'.", line, var, value);
	+ os_free(val);
	return -1;
	}

	--
	2.8.1