diff options
Diffstat (limited to 'package/network/services/hostapd/patches/004-hostapd_cli-Use-os_exec-for-action-script-execution.patch')
-rwxr-xr-x | package/network/services/hostapd/patches/004-hostapd_cli-Use-os_exec-for-action-script-execution.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/package/network/services/hostapd/patches/004-hostapd_cli-Use-os_exec-for-action-script-execution.patch b/package/network/services/hostapd/patches/004-hostapd_cli-Use-os_exec-for-action-script-execution.patch new file mode 100755 index 0000000..4f08ee5 --- /dev/null +++ b/package/network/services/hostapd/patches/004-hostapd_cli-Use-os_exec-for-action-script-execution.patch @@ -0,0 +1,54 @@ +From 5d4fa2a29bef013e61185beb21a3ec110885eb9a Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@qca.qualcomm.com> +Date: Mon, 6 Oct 2014 18:49:01 +0300 +Subject: [PATCH 3/3] hostapd_cli: Use os_exec() for action script execution + +Use os_exec() to run the action script operations to avoid undesired +command line processing for control interface event strings. Previously, +it could have been possible for some of the event strings to include +unsanitized data which is not suitable for system() use. (CVE-2014-3686) + +Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> +--- + hostapd/hostapd_cli.c | 25 ++++++++----------------- + 1 file changed, 8 insertions(+), 17 deletions(-) + +--- a/hostapd/hostapd_cli.c ++++ b/hostapd/hostapd_cli.c +@@ -238,28 +238,19 @@ static int hostapd_cli_cmd_mib(struct wp + static int hostapd_cli_exec(const char *program, const char *arg1, + const char *arg2) + { +- char *cmd; ++ char *arg; + size_t len; + int res; +- int ret = 0; + +- len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3; +- cmd = os_malloc(len); +- if (cmd == NULL) ++ len = os_strlen(arg1) + os_strlen(arg2) + 2; ++ arg = os_malloc(len); ++ if (arg == NULL) + return -1; +- res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2); +- if (res < 0 || (size_t) res >= len) { +- os_free(cmd); +- return -1; +- } +- cmd[len - 1] = '\0'; +-#ifndef _WIN32_WCE +- if (system(cmd) < 0) +- ret = -1; +-#endif /* _WIN32_WCE */ +- os_free(cmd); ++ os_snprintf(arg, len, "%s %s", arg1, arg2); ++ res = os_exec(program, arg, 1); ++ os_free(arg); + +- return ret; ++ return res; + } + + |