aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2014-10-06 17:25:52 +0300
committerWolfgang Wiedmeyer <wolfgit@wiedmeyer.de>2015-10-20 22:07:02 +0200
commitf13c605aa73fcfbef1635e641377564498912556 (patch)
treebca6939273b66f1274259df3a70521f2f851bb2b
parent2718efcea5d1e18faef7181533456c7ed58025c7 (diff)
downloadexternal_wpa_supplicant_8-f13c605aa73fcfbef1635e641377564498912556.zip
external_wpa_supplicant_8-f13c605aa73fcfbef1635e641377564498912556.tar.gz
external_wpa_supplicant_8-f13c605aa73fcfbef1635e641377564498912556.tar.bz2
wpa_cli: Use os_exec() for action script execution
Use os_exec() to run the action script operations to avoid undesired command line processing for control interface event strings. Previously, it could have been possible for some of the event strings to include unsanitized data which is not suitable for system() use. (CVE-2014-3686) Change-Id: I0005ed08e4b06ba3d2ebe95b9240050e47ed2e8c Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
-rw-r--r--wpa_supplicant/wpa_cli.c25
1 files changed, 8 insertions, 17 deletions
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index 87d2bf8..c6a506b 100644
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -2868,28 +2868,19 @@ static int str_match(const char *a, const char *b)
static int wpa_cli_exec(const char *program, const char *arg1,
const char *arg2)
{
- char *cmd;
+ char *arg;
size_t len;
int res;
- int ret = 0;
- len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3;
- cmd = os_malloc(len);
- if (cmd == NULL)
- return -1;
- res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2);
- if (res < 0 || (size_t) res >= len) {
- os_free(cmd);
+ len = os_strlen(arg1) + os_strlen(arg2) + 2;
+ arg = os_malloc(len);
+ if (arg == NULL)
return -1;
- }
- cmd[len - 1] = '\0';
-#ifndef _WIN32_WCE
- if (system(cmd) < 0)
- ret = -1;
-#endif /* _WIN32_WCE */
- os_free(cmd);
+ os_snprintf(arg, len, "%s %s", arg1, arg2);
+ res = os_exec(program, arg, 1);
+ os_free(arg);
- return ret;
+ return res;
}