Module Name: src Committed By: christos Date: Tue May 3 18:20:30 UTC 2016
Modified Files: src/external/bsd/wpa/dist/wpa_supplicant: config.c Log Message: http://w1.fi/security/2016-1/0002-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch WPA/WPA2-Personal passphrase is not allowed to include control characters. Reject a passphrase configuration attempt if that passphrase includes an invalid passphrase. This fixes an issue where wpa_supplicant could have updated the configuration file psk parameter with arbitrary data from the control interface or D-Bus interface. While those interfaces are supposed to be accessible only for trusted users/applications, it may be possible that an untrusted user has access to a management software component that does not validate the passphrase value before passing it to wpa_supplicant. This could allow such an untrusted user to inject up to 63 characters of almost arbitrary data into the configuration file. Such configuration file could result in wpa_supplicant trying to load a library (e.g., opensc_engine_path, pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user controlled location when starting again. This would allow code from that library to be executed under the wpa_supplicant process privileges. To generate a diff of this commit: cvs rdiff -u -r1.1.1.6 -r1.2 \ src/external/bsd/wpa/dist/wpa_supplicant/config.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/external/bsd/wpa/dist/wpa_supplicant/config.c diff -u src/external/bsd/wpa/dist/wpa_supplicant/config.c:1.1.1.6 src/external/bsd/wpa/dist/wpa_supplicant/config.c:1.2 --- src/external/bsd/wpa/dist/wpa_supplicant/config.c:1.1.1.6 Wed Apr 1 15:24:40 2015 +++ src/external/bsd/wpa/dist/wpa_supplicant/config.c Tue May 3 14:20:30 2016 @@ -455,6 +455,12 @@ static int wpa_config_parse_psk(const st } wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)", (u8 *) value, len); + if (has_ctrl_char((u8 *) value, len)) { + wpa_printf(MSG_ERROR, + "Line %d: Invalid passphrase character", + line); + return -1; + } if (ssid->passphrase && os_strlen(ssid->passphrase) == len && os_memcmp(ssid->passphrase, value, len) == 0) return 0;