1 From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <jouni@qca.qualcomm.com>
3 Date: Tue, 5 Apr 2016 23:55:48 +0300
4 Subject: [PATCH 3/3] Reject SET commands with newline characters in the
7 Many of the global configuration parameters are written as strings
8 without filtering and if there is an embedded newline character in the
9 value, unexpected configuration file data might be written.
11 This fixes an issue where wpa_supplicant could have updated the
12 configuration file global parameter with arbitrary data from the control
13 interface or D-Bus interface. While those interfaces are supposed to be
14 accessible only for trusted users/applications, it may be possible that
15 an untrusted user has access to a management software component that
16 does not validate the value of a parameter before passing it to
19 This could allow such an untrusted user to inject almost arbitrary data
20 into the configuration file. Such configuration file could result in
21 wpa_supplicant trying to load a library (e.g., opensc_engine_path,
22 pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
23 controlled location when starting again. This would allow code from that
24 library to be executed under the wpa_supplicant process privileges.
26 Upstream-Status: Backport
30 Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
31 Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
33 wpa_supplicant/config.c | 6 ++++++
34 1 file changed, 6 insertions(+)
36 diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
37 index 69152ef..d9a1603 100644
38 --- a/wpa_supplicant/config.c
39 +++ b/wpa_supplicant/config.c
40 @@ -3764,6 +3764,12 @@ static int wpa_global_config_parse_str(const struct global_parse_data *data,
44 + if (has_newline(pos)) {
45 + wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
