From ad44735f2ab69415240127d6590e34615c4b718d Mon Sep 17 00:00:00 2001 From: Sunil Ravi Date: Thu, 22 Dec 2022 00:10:28 +0000 Subject: [Security bug fixes] Added mac address & country code len check 1. Added mac address size check in supplicant sta iface & p2p iface HAL implementation to avoid crash or information leak in wpa_supplicant 2. Added country code len check in set country code function Bug: 262246082 Bug: 262235736 Bug: 262245254 Bug: 262236670 Bug: 262236331 Bug: 262236031 Bug: 262236273 Bug: 262245630 Bug: 262236419 Bug: 262235951 Bug: 262246231 Bug: 262245376 Bug: 262235998 Test: Build successfully Test: Manual STA connect-disconnect Change-Id: I2fc79687ac820c55c27e858372aec4ae7427c551 Merged-In: I2fc79687ac820c55c27e858372aec4ae7427c551 --- wpa_supplicant/aidl/p2p_iface.cpp | 8 ++++++++ wpa_supplicant/aidl/sta_iface.cpp | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/wpa_supplicant/aidl/p2p_iface.cpp b/wpa_supplicant/aidl/p2p_iface.cpp index 5f992de3..b0a2dbfa 100644 --- a/wpa_supplicant/aidl/p2p_iface.cpp +++ b/wpa_supplicant/aidl/p2p_iface.cpp @@ -1347,6 +1347,9 @@ ndk::ScopedAStatus P2pIface::provisionDiscoveryInternal( struct wpa_supplicant* wpa_s = retrieveIfacePtr(); p2ps_provision* prov_param; const char* config_method_str = nullptr; + if (peer_address.size() != ETH_ALEN) { + return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN); + } switch (provision_method) { case WpsProvisionMethod::PBC: config_method_str = kConfigMethodStrPbc; @@ -1956,6 +1959,11 @@ ndk::ScopedAStatus P2pIface::addGroupWithConfigInternal( wpa_printf(MSG_DEBUG, "P2P: Stop any on-going P2P FIND before group join."); wpas_p2p_stop_find(wpa_s); + if (peer_address.size() != ETH_ALEN) { + return createStatusWithMsg(SupplicantStatusCode::FAILURE_ARGS_INVALID, + "Peer address is invalid."); + } + if (pending_scan_res_join_callback != NULL) { wpa_printf(MSG_WARNING, "P2P: Renew scan result callback with new request."); } diff --git a/wpa_supplicant/aidl/sta_iface.cpp b/wpa_supplicant/aidl/sta_iface.cpp index 7a07cc18..776d6898 100644 --- a/wpa_supplicant/aidl/sta_iface.cpp +++ b/wpa_supplicant/aidl/sta_iface.cpp @@ -986,6 +986,9 @@ ndk::ScopedAStatus StaIface::initiateTdlsDiscoverInternal( { struct wpa_supplicant *wpa_s = retrieveIfacePtr(); int ret; + if (mac_address.size() != ETH_ALEN) { + return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN); + } const u8 *peer = mac_address.data(); if (wpa_tdls_is_external_setup(wpa_s->wpa)) { ret = wpa_tdls_send_discovery_request(wpa_s->wpa, peer); @@ -1003,6 +1006,9 @@ ndk::ScopedAStatus StaIface::initiateTdlsSetupInternal( { struct wpa_supplicant *wpa_s = retrieveIfacePtr(); int ret; + if (mac_address.size() != ETH_ALEN) { + return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN); + } const u8 *peer = mac_address.data(); if (wpa_tdls_is_external_setup(wpa_s->wpa) && !(wpa_s->conf->tdls_external_control)) { @@ -1022,6 +1028,9 @@ ndk::ScopedAStatus StaIface::initiateTdlsTeardownInternal( { struct wpa_supplicant *wpa_s = retrieveIfacePtr(); int ret; + if (mac_address.size() != ETH_ALEN) { + return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN); + } const u8 *peer = mac_address.data(); if (wpa_tdls_is_external_setup(wpa_s->wpa) && !(wpa_s->conf->tdls_external_control)) { @@ -1058,6 +1067,9 @@ ndk::ScopedAStatus StaIface::initiateAnqpQueryInternal( static_cast::type>(type)); } + if (mac_address.size() != ETH_ALEN) { + return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN); + } if (anqp_send_req( wpa_s, mac_address.data(), 0, info_elems_buf, num_info_elems, @@ -1072,6 +1084,9 @@ ndk::ScopedAStatus StaIface::initiateVenueUrlAnqpQueryInternal( { struct wpa_supplicant *wpa_s = retrieveIfacePtr(); uint16_t info_elems_buf[1] = {ANQP_VENUE_URL}; + if (mac_address.size() != ETH_ALEN) { + return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN); + } if (anqp_send_req( wpa_s, mac_address.data(), 0, info_elems_buf, 1, 0, 0)) { @@ -1084,6 +1099,9 @@ ndk::ScopedAStatus StaIface::initiateHs20IconQueryInternal( const std::vector &mac_address, const std::string &file_name) { struct wpa_supplicant *wpa_s = retrieveIfacePtr(); + if (mac_address.size() != ETH_ALEN) { + return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN); + } wpa_s->fetch_osu_icon_in_progress = 0; if (hs20_anqp_send_req( wpa_s, mac_address.data(), BIT(HS20_STYPE_ICON_REQUEST), @@ -1185,6 +1203,10 @@ ndk::ScopedAStatus StaIface::setCountryCodeInternal( const std::vector &code) { struct wpa_supplicant *wpa_s = retrieveIfacePtr(); + //2-Character alphanumeric country code + if (code.size() != 2) { + return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN); + } ndk::ScopedAStatus status = doOneArgDriverCommand( wpa_s, kSetCountryCode, std::string(std::begin(code), std::end(code))); @@ -1206,6 +1228,9 @@ ndk::ScopedAStatus StaIface::startWpsRegistrarInternal( const std::vector &bssid, const std::string &pin) { struct wpa_supplicant *wpa_s = retrieveIfacePtr(); + if (bssid.size() != ETH_ALEN) { + return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN); + } if (wpas_wps_start_reg(wpa_s, bssid.data(), pin.c_str(), nullptr)) { return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN); } @@ -1216,6 +1241,9 @@ ndk::ScopedAStatus StaIface::startWpsPbcInternal( const std::vector &bssid) { struct wpa_supplicant *wpa_s = retrieveIfacePtr(); + if (bssid.size() != ETH_ALEN) { + return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN); + } const uint8_t *bssid_addr = is_zero_ether_addr(bssid.data()) ? nullptr : bssid.data(); if (wpas_wps_start_pbc(wpa_s, bssid_addr, 0, 0)) { @@ -1238,6 +1266,9 @@ std::pair StaIface::startWpsPinDisplayInternal( const std::vector &bssid) { struct wpa_supplicant *wpa_s = retrieveIfacePtr(); + if (bssid.size() != ETH_ALEN) { + return {"", createStatus(SupplicantStatusCode::FAILURE_UNKNOWN)}; + } const uint8_t *bssid_addr = is_zero_ether_addr(bssid.data()) ? nullptr : bssid.data(); int pin = @@ -1609,6 +1640,9 @@ StaIface::generateDppBootstrapInfoForResponderInternal( } cmd += " chan=" + listen_channel_str; + if (mac_address.size() != ETH_ALEN) { + return {bootstrap_info, createStatus(SupplicantStatusCode::FAILURE_UNKNOWN)}; + } cmd += " mac="; for (int i = 0;i < 6;i++) { snprintf(buf, sizeof(buf), "%02x", mac_address[i]); -- cgit v1.2.3