hostapd: CVE-2014-3686 fixes
Signed-off-by: Steven Barth <steven@midlink.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@42942 3c298f89-4303-0410-b956-a3cf2f4a3e73master
parent
6323cec8d6
commit
65c4baa4a6
|
@ -8,7 +8,7 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=hostapd
|
||||
PKG_VERSION:=2014-06-03
|
||||
PKG_VERSION:=2014-06-03.1
|
||||
PKG_RELEASE:=1
|
||||
PKG_REV:=84df167554569af8c87f0a8ac1fb508192417d8e
|
||||
|
||||
|
|
|
@ -0,0 +1,110 @@
|
|||
From 89de07a9442072f88d49869d8ecd8d42bae050a0 Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <jouni@qca.qualcomm.com>
|
||||
Date: Mon, 6 Oct 2014 16:27:44 +0300
|
||||
Subject: [PATCH 1/3] Add os_exec() helper to run external programs
|
||||
|
||||
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
||||
---
|
||||
src/utils/os.h | 9 +++++++++
|
||||
src/utils/os_unix.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
src/utils/os_win32.c | 6 ++++++
|
||||
3 files changed, 70 insertions(+)
|
||||
|
||||
--- a/src/utils/os.h
|
||||
+++ b/src/utils/os.h
|
||||
@@ -584,6 +584,15 @@ static inline void os_remove_in_array(vo
|
||||
*/
|
||||
size_t os_strlcpy(char *dest, const char *src, size_t siz);
|
||||
|
||||
+/**
|
||||
+ * os_exec - Execute an external program
|
||||
+ * @program: Path to the program
|
||||
+ * @arg: Command line argument string
|
||||
+ * @wait_completion: Whether to wait until the program execution completes
|
||||
+ * Returns: 0 on success, -1 on error
|
||||
+ */
|
||||
+int os_exec(const char *program, const char *arg, int wait_completion);
|
||||
+
|
||||
|
||||
#ifdef OS_REJECT_C_LIB_FUNCTIONS
|
||||
#define malloc OS_DO_NOT_USE_malloc
|
||||
--- a/src/utils/os_unix.c
|
||||
+++ b/src/utils/os_unix.c
|
||||
@@ -9,6 +9,7 @@
|
||||
#include "includes.h"
|
||||
|
||||
#include <time.h>
|
||||
+#include <sys/wait.h>
|
||||
|
||||
#ifdef ANDROID
|
||||
#include <sys/capability.h>
|
||||
@@ -540,3 +541,57 @@ char * os_strdup(const char *s)
|
||||
}
|
||||
|
||||
#endif /* WPA_TRACE */
|
||||
+
|
||||
+
|
||||
+int os_exec(const char *program, const char *arg, int wait_completion)
|
||||
+{
|
||||
+ pid_t pid;
|
||||
+ int pid_status;
|
||||
+
|
||||
+ pid = fork();
|
||||
+ if (pid < 0) {
|
||||
+ perror("fork");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ if (pid == 0) {
|
||||
+ /* run the external command in the child process */
|
||||
+ const int MAX_ARG = 30;
|
||||
+ char *_program, *_arg, *pos;
|
||||
+ char *argv[MAX_ARG + 1];
|
||||
+ int i;
|
||||
+
|
||||
+ _program = os_strdup(program);
|
||||
+ _arg = os_strdup(arg);
|
||||
+
|
||||
+ argv[0] = _program;
|
||||
+
|
||||
+ i = 1;
|
||||
+ pos = _arg;
|
||||
+ while (i < MAX_ARG && pos && *pos) {
|
||||
+ while (*pos == ' ')
|
||||
+ pos++;
|
||||
+ if (*pos == '\0')
|
||||
+ break;
|
||||
+ argv[i++] = pos;
|
||||
+ pos = os_strchr(pos, ' ');
|
||||
+ if (pos)
|
||||
+ *pos++ = '\0';
|
||||
+ }
|
||||
+ argv[i] = NULL;
|
||||
+
|
||||
+ execv(program, argv);
|
||||
+ perror("execv");
|
||||
+ os_free(_program);
|
||||
+ os_free(_arg);
|
||||
+ exit(0);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ if (wait_completion) {
|
||||
+ /* wait for the child process to complete in the parent */
|
||||
+ waitpid(pid, &pid_status, 0);
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
--- a/src/utils/os_win32.c
|
||||
+++ b/src/utils/os_win32.c
|
||||
@@ -244,3 +244,9 @@ size_t os_strlcpy(char *dest, const char
|
||||
|
||||
return s - src - 1;
|
||||
}
|
||||
+
|
||||
+
|
||||
+int os_exec(const char *program, const char *arg, int wait_completion)
|
||||
+{
|
||||
+ return -1;
|
||||
+}
|
|
@ -0,0 +1,54 @@
|
|||
From c5f258de76dbb67fb64beab39a99e5c5711f41fe Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <jouni@qca.qualcomm.com>
|
||||
Date: Mon, 6 Oct 2014 17:25:52 +0300
|
||||
Subject: [PATCH 2/3] wpa_cli: Use os_exec() for action script execution
|
||||
|
||||
Use os_exec() to run the action script operations to avoid undesired
|
||||
command line processing for control interface event strings. Previously,
|
||||
it could have been possible for some of the event strings to include
|
||||
unsanitized data which is not suitable for system() use. (CVE-2014-3686)
|
||||
|
||||
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
||||
---
|
||||
wpa_supplicant/wpa_cli.c | 25 ++++++++-----------------
|
||||
1 file changed, 8 insertions(+), 17 deletions(-)
|
||||
|
||||
--- a/wpa_supplicant/wpa_cli.c
|
||||
+++ b/wpa_supplicant/wpa_cli.c
|
||||
@@ -3149,28 +3149,19 @@ static int str_match(const char *a, cons
|
||||
static int wpa_cli_exec(const char *program, const char *arg1,
|
||||
const char *arg2)
|
||||
{
|
||||
- char *cmd;
|
||||
+ char *arg;
|
||||
size_t len;
|
||||
int res;
|
||||
- int ret = 0;
|
||||
|
||||
- len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3;
|
||||
- cmd = os_malloc(len);
|
||||
- if (cmd == NULL)
|
||||
+ len = os_strlen(arg1) + os_strlen(arg2) + 2;
|
||||
+ arg = os_malloc(len);
|
||||
+ if (arg == NULL)
|
||||
return -1;
|
||||
- res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2);
|
||||
- if (res < 0 || (size_t) res >= len) {
|
||||
- os_free(cmd);
|
||||
- return -1;
|
||||
- }
|
||||
- cmd[len - 1] = '\0';
|
||||
-#ifndef _WIN32_WCE
|
||||
- if (system(cmd) < 0)
|
||||
- ret = -1;
|
||||
-#endif /* _WIN32_WCE */
|
||||
- os_free(cmd);
|
||||
+ os_snprintf(arg, len, "%s %s", arg1, arg2);
|
||||
+ res = os_exec(program, arg, 1);
|
||||
+ os_free(arg);
|
||||
|
||||
- return ret;
|
||||
+ return res;
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,54 @@
|
|||
From 5d4fa2a29bef013e61185beb21a3ec110885eb9a Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <jouni@qca.qualcomm.com>
|
||||
Date: Mon, 6 Oct 2014 18:49:01 +0300
|
||||
Subject: [PATCH 3/3] hostapd_cli: Use os_exec() for action script execution
|
||||
|
||||
Use os_exec() to run the action script operations to avoid undesired
|
||||
command line processing for control interface event strings. Previously,
|
||||
it could have been possible for some of the event strings to include
|
||||
unsanitized data which is not suitable for system() use. (CVE-2014-3686)
|
||||
|
||||
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
||||
---
|
||||
hostapd/hostapd_cli.c | 25 ++++++++-----------------
|
||||
1 file changed, 8 insertions(+), 17 deletions(-)
|
||||
|
||||
--- a/hostapd/hostapd_cli.c
|
||||
+++ b/hostapd/hostapd_cli.c
|
||||
@@ -238,28 +238,19 @@ static int hostapd_cli_cmd_mib(struct wp
|
||||
static int hostapd_cli_exec(const char *program, const char *arg1,
|
||||
const char *arg2)
|
||||
{
|
||||
- char *cmd;
|
||||
+ char *arg;
|
||||
size_t len;
|
||||
int res;
|
||||
- int ret = 0;
|
||||
|
||||
- len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3;
|
||||
- cmd = os_malloc(len);
|
||||
- if (cmd == NULL)
|
||||
+ len = os_strlen(arg1) + os_strlen(arg2) + 2;
|
||||
+ arg = os_malloc(len);
|
||||
+ if (arg == NULL)
|
||||
return -1;
|
||||
- res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2);
|
||||
- if (res < 0 || (size_t) res >= len) {
|
||||
- os_free(cmd);
|
||||
- return -1;
|
||||
- }
|
||||
- cmd[len - 1] = '\0';
|
||||
-#ifndef _WIN32_WCE
|
||||
- if (system(cmd) < 0)
|
||||
- ret = -1;
|
||||
-#endif /* _WIN32_WCE */
|
||||
- os_free(cmd);
|
||||
+ os_snprintf(arg, len, "%s %s", arg1, arg2);
|
||||
+ res = os_exec(program, arg, 1);
|
||||
+ os_free(arg);
|
||||
|
||||
- return ret;
|
||||
+ return res;
|
||||
}
|
||||
|
||||
|
|
@ -1,14 +1,14 @@
|
|||
--- a/src/utils/os_unix.c
|
||||
+++ b/src/utils/os_unix.c
|
||||
@@ -9,6 +9,7 @@
|
||||
#include "includes.h"
|
||||
@@ -10,6 +10,7 @@
|
||||
|
||||
#include <time.h>
|
||||
#include <sys/wait.h>
|
||||
+#include <fcntl.h>
|
||||
|
||||
#ifdef ANDROID
|
||||
#include <sys/capability.h>
|
||||
@@ -154,59 +155,46 @@ int os_gmtime(os_time_t t, struct os_tm
|
||||
@@ -155,59 +156,46 @@ int os_gmtime(os_time_t t, struct os_tm
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
" get_config show current configuration\n"
|
||||
" help show this usage help\n"
|
||||
" interface [ifname] show interfaces/select interface\n"
|
||||
@@ -362,7 +360,6 @@ static int hostapd_cli_cmd_sa_query(stru
|
||||
@@ -353,7 +351,6 @@ static int hostapd_cli_cmd_sa_query(stru
|
||||
#endif /* CONFIG_IEEE80211W */
|
||||
|
||||
|
||||
|
@ -24,7 +24,7 @@
|
|||
static int hostapd_cli_cmd_wps_pin(struct wpa_ctrl *ctrl, int argc,
|
||||
char *argv[])
|
||||
{
|
||||
@@ -588,7 +585,6 @@ static int hostapd_cli_cmd_wps_config(st
|
||||
@@ -579,7 +576,6 @@ static int hostapd_cli_cmd_wps_config(st
|
||||
ssid_hex, argv[1]);
|
||||
return wpa_ctrl_command(ctrl, buf);
|
||||
}
|
||||
|
@ -32,7 +32,7 @@
|
|||
|
||||
|
||||
static int hostapd_cli_cmd_disassoc_imminent(struct wpa_ctrl *ctrl, int argc,
|
||||
@@ -979,7 +975,6 @@ static struct hostapd_cli_cmd hostapd_cl
|
||||
@@ -970,7 +966,6 @@ static struct hostapd_cli_cmd hostapd_cl
|
||||
#ifdef CONFIG_IEEE80211W
|
||||
{ "sa_query", hostapd_cli_cmd_sa_query },
|
||||
#endif /* CONFIG_IEEE80211W */
|
||||
|
@ -40,7 +40,7 @@
|
|||
{ "wps_pin", hostapd_cli_cmd_wps_pin },
|
||||
{ "wps_check_pin", hostapd_cli_cmd_wps_check_pin },
|
||||
{ "wps_pbc", hostapd_cli_cmd_wps_pbc },
|
||||
@@ -993,7 +988,6 @@ static struct hostapd_cli_cmd hostapd_cl
|
||||
@@ -984,7 +979,6 @@ static struct hostapd_cli_cmd hostapd_cl
|
||||
{ "wps_ap_pin", hostapd_cli_cmd_wps_ap_pin },
|
||||
{ "wps_config", hostapd_cli_cmd_wps_config },
|
||||
{ "wps_get_status", hostapd_cli_cmd_wps_get_status },
|
||||
|
|
Loading…
Reference in New Issue