summaryrefslogtreecommitdiff
path: root/package/network/services/hostapd/patches/004-hostapd_cli-Use-os_exec-for-action-script-execution.patch
diff options
context:
space:
mode:
Diffstat (limited to 'package/network/services/hostapd/patches/004-hostapd_cli-Use-os_exec-for-action-script-execution.patch')
-rwxr-xr-xpackage/network/services/hostapd/patches/004-hostapd_cli-Use-os_exec-for-action-script-execution.patch54
1 files changed, 54 insertions, 0 deletions
diff --git a/package/network/services/hostapd/patches/004-hostapd_cli-Use-os_exec-for-action-script-execution.patch b/package/network/services/hostapd/patches/004-hostapd_cli-Use-os_exec-for-action-script-execution.patch
new file mode 100755
index 0000000..4f08ee5
--- /dev/null
+++ b/package/network/services/hostapd/patches/004-hostapd_cli-Use-os_exec-for-action-script-execution.patch
@@ -0,0 +1,54 @@
+From 5d4fa2a29bef013e61185beb21a3ec110885eb9a Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Mon, 6 Oct 2014 18:49:01 +0300
+Subject: [PATCH 3/3] hostapd_cli: Use os_exec() for action script execution
+
+Use os_exec() to run the action script operations to avoid undesired
+command line processing for control interface event strings. Previously,
+it could have been possible for some of the event strings to include
+unsanitized data which is not suitable for system() use. (CVE-2014-3686)
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+---
+ hostapd/hostapd_cli.c | 25 ++++++++-----------------
+ 1 file changed, 8 insertions(+), 17 deletions(-)
+
+--- a/hostapd/hostapd_cli.c
++++ b/hostapd/hostapd_cli.c
+@@ -238,28 +238,19 @@ static int hostapd_cli_cmd_mib(struct wp
+ static int hostapd_cli_exec(const char *program, const char *arg1,
+ const char *arg2)
+ {
+- char *cmd;
++ char *arg;
+ size_t len;
+ int res;
+- int ret = 0;
+
+- len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3;
+- cmd = os_malloc(len);
+- if (cmd == NULL)
++ len = os_strlen(arg1) + os_strlen(arg2) + 2;
++ arg = os_malloc(len);
++ if (arg == NULL)
+ return -1;
+- res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2);
+- if (res < 0 || (size_t) res >= len) {
+- os_free(cmd);
+- return -1;
+- }
+- cmd[len - 1] = '\0';
+-#ifndef _WIN32_WCE
+- if (system(cmd) < 0)
+- ret = -1;
+-#endif /* _WIN32_WCE */
+- os_free(cmd);
++ os_snprintf(arg, len, "%s %s", arg1, arg2);
++ res = os_exec(program, arg, 1);
++ os_free(arg);
+
+- return ret;
++ return res;
+ }
+
+