code.ossystems Code Review - openembedded-core.git/blob

   1 From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001
   2 From: Jouni Malinen <jouni@qca.qualcomm.com>
   3 Date: Fri, 4 Mar 2016 18:46:41 +0200
   4 Subject: [PATCH 1/3] Reject psk parameter set with invalid passphrase
   5  character
   6
   7 WPA/WPA2-Personal passphrase is not allowed to include control
   8 characters. Reject a passphrase configuration attempt if that passphrase
   9 includes an invalid passphrase.
  10
  11 This fixes an issue where wpa_supplicant could have updated the
  12 configuration file psk parameter with arbitrary data from the control
  13 interface or D-Bus interface. While those interfaces are supposed to be
  14 accessible only for trusted users/applications, it may be possible that
  15 an untrusted user has access to a management software component that
  16 does not validate the passphrase value before passing it to
  17 wpa_supplicant.
  18
  19 This could allow such an untrusted user to inject up to 63 characters of
  20 almost arbitrary data into the configuration file. Such configuration
  21 file could result in wpa_supplicant trying to load a library (e.g.,
  22 opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
  23 load_dynamic_eap) from user controlled location when starting again.
  24 This would allow code from that library to be executed under the
  25 wpa_supplicant process privileges.
  26
  27 Upstream-Status: Backport
  28
  29 CVE: CVE-2016-4477
  30
  31 Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
  32 Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
  33 ---
  34  wpa_supplicant/config.c | 6 ++++++
  35  1 file changed, 6 insertions(+)
  36
  37 diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
  38 index b1c7870..fdd9643 100644
  39 --- a/wpa_supplicant/config.c
  40 +++ b/wpa_supplicant/config.c
  41 @@ -478,6 +478,12 @@ static int wpa_config_parse_psk(const struct parse_data *data,
  42                 }
  43                 wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)",
  44                                       (u8 *) value, len);
  45 +               if (has_ctrl_char((u8 *) value, len)) {
  46 +                       wpa_printf(MSG_ERROR,
  47 +                                  "Line %d: Invalid passphrase character",
  48 +                                  line);
  49 +                       return -1;
  50 +               }
  51                 if (ssid->passphrase && os_strlen(ssid->passphrase) == len &&
  52                     os_memcmp(ssid->passphrase, value, len) == 0) {
  53                         /* No change to the previously configured value */
  54 --
  55 1.9.1