hostapd: CVE-2014-3686 fixes

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42942
owl
Steven Barth 2014-10-17 06:15:35 +00:00
parent 4fce5d1951
commit 99984eaeb3
9 changed files with 229 additions and 11 deletions

View File

@ -8,7 +8,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=hostapd
PKG_VERSION:=2014-06-03
PKG_VERSION:=2014-06-03.1
PKG_RELEASE:=1
PKG_REV:=84df167554569af8c87f0a8ac1fb508192417d8e

View File

@ -0,0 +1,110 @@
From 89de07a9442072f88d49869d8ecd8d42bae050a0 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Mon, 6 Oct 2014 16:27:44 +0300
Subject: [PATCH 1/3] Add os_exec() helper to run external programs
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
src/utils/os.h | 9 +++++++++
src/utils/os_unix.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++
src/utils/os_win32.c | 6 ++++++
3 files changed, 70 insertions(+)
--- a/src/utils/os.h
+++ b/src/utils/os.h
@@ -584,6 +584,15 @@ static inline void os_remove_in_array(vo
*/
size_t os_strlcpy(char *dest, const char *src, size_t siz);
+/**
+ * os_exec - Execute an external program
+ * @program: Path to the program
+ * @arg: Command line argument string
+ * @wait_completion: Whether to wait until the program execution completes
+ * Returns: 0 on success, -1 on error
+ */
+int os_exec(const char *program, const char *arg, int wait_completion);
+
#ifdef OS_REJECT_C_LIB_FUNCTIONS
#define malloc OS_DO_NOT_USE_malloc
--- a/src/utils/os_unix.c
+++ b/src/utils/os_unix.c
@@ -9,6 +9,7 @@
#include "includes.h"
#include <time.h>
+#include <sys/wait.h>
#ifdef ANDROID
#include <sys/capability.h>
@@ -540,3 +541,57 @@ char * os_strdup(const char *s)
}
#endif /* WPA_TRACE */
+
+
+int os_exec(const char *program, const char *arg, int wait_completion)
+{
+ pid_t pid;
+ int pid_status;
+
+ pid = fork();
+ if (pid < 0) {
+ perror("fork");
+ return -1;
+ }
+
+ if (pid == 0) {
+ /* run the external command in the child process */
+ const int MAX_ARG = 30;
+ char *_program, *_arg, *pos;
+ char *argv[MAX_ARG + 1];
+ int i;
+
+ _program = os_strdup(program);
+ _arg = os_strdup(arg);
+
+ argv[0] = _program;
+
+ i = 1;
+ pos = _arg;
+ while (i < MAX_ARG && pos && *pos) {
+ while (*pos == ' ')
+ pos++;
+ if (*pos == '\0')
+ break;
+ argv[i++] = pos;
+ pos = os_strchr(pos, ' ');
+ if (pos)
+ *pos++ = '\0';
+ }
+ argv[i] = NULL;
+
+ execv(program, argv);
+ perror("execv");
+ os_free(_program);
+ os_free(_arg);
+ exit(0);
+ return -1;
+ }
+
+ if (wait_completion) {
+ /* wait for the child process to complete in the parent */
+ waitpid(pid, &pid_status, 0);
+ }
+
+ return 0;
+}
--- a/src/utils/os_win32.c
+++ b/src/utils/os_win32.c
@@ -244,3 +244,9 @@ size_t os_strlcpy(char *dest, const char
return s - src - 1;
}
+
+
+int os_exec(const char *program, const char *arg, int wait_completion)
+{
+ return -1;
+}

View File

@ -0,0 +1,54 @@
From c5f258de76dbb67fb64beab39a99e5c5711f41fe Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Mon, 6 Oct 2014 17:25:52 +0300
Subject: [PATCH 2/3] wpa_cli: Use os_exec() for action script execution
Use os_exec() to run the action script operations to avoid undesired
command line processing for control interface event strings. Previously,
it could have been possible for some of the event strings to include
unsanitized data which is not suitable for system() use. (CVE-2014-3686)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
wpa_supplicant/wpa_cli.c | 25 ++++++++-----------------
1 file changed, 8 insertions(+), 17 deletions(-)
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -3149,28 +3149,19 @@ static int str_match(const char *a, cons
static int wpa_cli_exec(const char *program, const char *arg1,
const char *arg2)
{
- char *cmd;
+ char *arg;
size_t len;
int res;
- int ret = 0;
- len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3;
- cmd = os_malloc(len);
- if (cmd == NULL)
+ len = os_strlen(arg1) + os_strlen(arg2) + 2;
+ arg = os_malloc(len);
+ if (arg == NULL)
return -1;
- res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2);
- if (res < 0 || (size_t) res >= len) {
- os_free(cmd);
- return -1;
- }
- cmd[len - 1] = '\0';
-#ifndef _WIN32_WCE
- if (system(cmd) < 0)
- ret = -1;
-#endif /* _WIN32_WCE */
- os_free(cmd);
+ os_snprintf(arg, len, "%s %s", arg1, arg2);
+ res = os_exec(program, arg, 1);
+ os_free(arg);
- return ret;
+ return res;
}

View File

@ -0,0 +1,54 @@
From 5d4fa2a29bef013e61185beb21a3ec110885eb9a Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Mon, 6 Oct 2014 18:49:01 +0300
Subject: [PATCH 3/3] hostapd_cli: Use os_exec() for action script execution
Use os_exec() to run the action script operations to avoid undesired
command line processing for control interface event strings. Previously,
it could have been possible for some of the event strings to include
unsanitized data which is not suitable for system() use. (CVE-2014-3686)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
hostapd/hostapd_cli.c | 25 ++++++++-----------------
1 file changed, 8 insertions(+), 17 deletions(-)
--- a/hostapd/hostapd_cli.c
+++ b/hostapd/hostapd_cli.c
@@ -238,28 +238,19 @@ static int hostapd_cli_cmd_mib(struct wp
static int hostapd_cli_exec(const char *program, const char *arg1,
const char *arg2)
{
- char *cmd;
+ char *arg;
size_t len;
int res;
- int ret = 0;
- len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3;
- cmd = os_malloc(len);
- if (cmd == NULL)
+ len = os_strlen(arg1) + os_strlen(arg2) + 2;
+ arg = os_malloc(len);
+ if (arg == NULL)
return -1;
- res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2);
- if (res < 0 || (size_t) res >= len) {
- os_free(cmd);
- return -1;
- }
- cmd[len - 1] = '\0';
-#ifndef _WIN32_WCE
- if (system(cmd) < 0)
- ret = -1;
-#endif /* _WIN32_WCE */
- os_free(cmd);
+ os_snprintf(arg, len, "%s %s", arg1, arg2);
+ res = os_exec(program, arg, 1);
+ os_free(arg);
- return ret;
+ return res;
}

View File

@ -1,14 +1,14 @@
--- a/src/utils/os_unix.c
+++ b/src/utils/os_unix.c
@@ -9,6 +9,7 @@
#include "includes.h"
@@ -10,6 +10,7 @@
#include <time.h>
#include <sys/wait.h>
+#include <fcntl.h>
#ifdef ANDROID
#include <sys/capability.h>
@@ -154,59 +155,46 @@ int os_gmtime(os_time_t t, struct os_tm
@@ -155,59 +156,46 @@ int os_gmtime(os_time_t t, struct os_tm
return 0;
}

View File

@ -157,7 +157,7 @@
#include "drivers/driver.h"
#include "wpa_supplicant_i.h"
#include "config.h"
@@ -247,6 +248,10 @@ static void calculate_update_time(const
@@ -247,6 +248,10 @@ static void calculate_update_time(const
static void wpa_bss_copy_res(struct wpa_bss *dst, struct wpa_scan_res *src,
struct os_reltime *fetch_time)
{

View File

@ -166,7 +166,7 @@
/**
* wpa_hexdump_ascii_key - conditional hex dump, hide keys
@@ -142,8 +177,14 @@ void wpa_hexdump_ascii(int level, const
@@ -142,8 +177,14 @@ void wpa_hexdump_ascii(int level, const
* bytes per line will be shown. This works like wpa_hexdump_ascii(), but by
* default, does not include secret keys (passwords, etc.) in debug output.
*/

View File

@ -16,7 +16,7 @@
" get_config show current configuration\n"
" help show this usage help\n"
" interface [ifname] show interfaces/select interface\n"
@@ -362,7 +360,6 @@ static int hostapd_cli_cmd_sa_query(stru
@@ -353,7 +351,6 @@ static int hostapd_cli_cmd_sa_query(stru
#endif /* CONFIG_IEEE80211W */
@ -24,7 +24,7 @@
static int hostapd_cli_cmd_wps_pin(struct wpa_ctrl *ctrl, int argc,
char *argv[])
{
@@ -588,7 +585,6 @@ static int hostapd_cli_cmd_wps_config(st
@@ -579,7 +576,6 @@ static int hostapd_cli_cmd_wps_config(st
ssid_hex, argv[1]);
return wpa_ctrl_command(ctrl, buf);
}
@ -32,7 +32,7 @@
static int hostapd_cli_cmd_disassoc_imminent(struct wpa_ctrl *ctrl, int argc,
@@ -979,7 +975,6 @@ static struct hostapd_cli_cmd hostapd_cl
@@ -970,7 +966,6 @@ static struct hostapd_cli_cmd hostapd_cl
#ifdef CONFIG_IEEE80211W
{ "sa_query", hostapd_cli_cmd_sa_query },
#endif /* CONFIG_IEEE80211W */
@ -40,7 +40,7 @@
{ "wps_pin", hostapd_cli_cmd_wps_pin },
{ "wps_check_pin", hostapd_cli_cmd_wps_check_pin },
{ "wps_pbc", hostapd_cli_cmd_wps_pbc },
@@ -993,7 +988,6 @@ static struct hostapd_cli_cmd hostapd_cl
@@ -984,7 +979,6 @@ static struct hostapd_cli_cmd hostapd_cl
{ "wps_ap_pin", hostapd_cli_cmd_wps_ap_pin },
{ "wps_config", hostapd_cli_cmd_wps_config },
{ "wps_get_status", hostapd_cli_cmd_wps_get_status },

View File

@ -33,7 +33,7 @@
/* Initialize the driver interface */
if (!(b[0] | b[1] | b[2] | b[3] | b[4] | b[5]))
b = NULL;
@@ -372,8 +384,6 @@ static void hostapd_global_deinit(const
@@ -372,8 +384,6 @@ static void hostapd_global_deinit(const
#endif /* CONFIG_NATIVE_WINDOWS */
eap_server_unregister_methods();