aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2014-10-06 18:49:01 +0300
committerWolfgang Wiedmeyer <wolfgit@wiedmeyer.de>2015-10-20 22:07:54 +0200
commit14c921dc18b5f15f2caac886fc522268f5910ace (patch)
treea7de42db6dbac9ba8e9238396fd7b5c55df256c9
parentf13c605aa73fcfbef1635e641377564498912556 (diff)
downloadexternal_wpa_supplicant_8-master.zip
external_wpa_supplicant_8-master.tar.gz
external_wpa_supplicant_8-master.tar.bz2
hostapd_cli: Use os_exec() for action script executionHEADmaster
Use os_exec() to run the action script operations to avoid undesired command line processing for control interface event strings. Previously, it could have been possible for some of the event strings to include unsanitized data which is not suitable for system() use. (CVE-2014-3686) Change-Id: If46d6cfcb9d7fc9700965e818315e5aa50fa11a5 Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
-rw-r--r--hostapd/hostapd_cli.c25
1 files changed, 8 insertions, 17 deletions
diff --git a/hostapd/hostapd_cli.c b/hostapd/hostapd_cli.c
index 27bea2a..5d21eec 100644
--- a/hostapd/hostapd_cli.c
+++ b/hostapd/hostapd_cli.c
@@ -227,28 +227,19 @@ static int hostapd_cli_cmd_mib(struct wpa_ctrl *ctrl, int argc, char *argv[])
static int hostapd_cli_exec(const char *program, const char *arg1,
const char *arg2)
{
- char *cmd;
+ char *arg;
size_t len;
int res;
- int ret = 0;
- len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3;
- cmd = os_malloc(len);
- if (cmd == NULL)
+ len = os_strlen(arg1) + os_strlen(arg2) + 2;
+ arg = os_malloc(len);
+ if (arg == NULL)
return -1;
- res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2);
- if (res < 0 || (size_t) res >= len) {
- os_free(cmd);
- return -1;
- }
- cmd[len - 1] = '\0';
-#ifndef _WIN32_WCE
- if (system(cmd) < 0)
- ret = -1;
-#endif /* _WIN32_WCE */
- os_free(cmd);
+ os_snprintf(arg, len, "%s %s", arg1, arg2);
+ res = os_exec(program, arg, 1);
+ os_free(arg);
- return ret;
+ return res;
}