[Security bug fixes] Added mac address & country code len check
1. Added mac address size check in supplicant sta iface
& p2p iface HAL implementation to avoid
crash or information leak in wpa_supplicant
2. Added country code len check in set country code function
Bug: 262246082
Bug: 262235736
Bug: 262245254
Bug: 262236670
Bug: 262236331
Bug: 262236031
Bug: 262236273
Bug: 262245630
Bug: 262236419
Bug: 262235951
Bug: 262246231
Bug: 262245376
Bug: 262235998
Test: Build successfully
Test: Manual STA connect-disconnect
Change-Id: I2fc79687ac820c55c27e858372aec4ae7427c551
Merged-In: I2fc79687ac820c55c27e858372aec4ae7427c551
diff --git a/wpa_supplicant/aidl/p2p_iface.cpp b/wpa_supplicant/aidl/p2p_iface.cpp
index 5f992de..b0a2dbf 100644
--- a/wpa_supplicant/aidl/p2p_iface.cpp
+++ b/wpa_supplicant/aidl/p2p_iface.cpp
@@ -1347,6 +1347,9 @@
struct wpa_supplicant* wpa_s = retrieveIfacePtr();
p2ps_provision* prov_param;
const char* config_method_str = nullptr;
+ if (peer_address.size() != ETH_ALEN) {
+ return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
+ }
switch (provision_method) {
case WpsProvisionMethod::PBC:
config_method_str = kConfigMethodStrPbc;
@@ -1956,6 +1959,11 @@
wpa_printf(MSG_DEBUG, "P2P: Stop any on-going P2P FIND before group join.");
wpas_p2p_stop_find(wpa_s);
+ if (peer_address.size() != ETH_ALEN) {
+ return createStatusWithMsg(SupplicantStatusCode::FAILURE_ARGS_INVALID,
+ "Peer address is invalid.");
+ }
+
if (pending_scan_res_join_callback != NULL) {
wpa_printf(MSG_WARNING, "P2P: Renew scan result callback with new request.");
}
diff --git a/wpa_supplicant/aidl/sta_iface.cpp b/wpa_supplicant/aidl/sta_iface.cpp
index 7a07cc1..776d689 100644
--- a/wpa_supplicant/aidl/sta_iface.cpp
+++ b/wpa_supplicant/aidl/sta_iface.cpp
@@ -986,6 +986,9 @@
{
struct wpa_supplicant *wpa_s = retrieveIfacePtr();
int ret;
+ if (mac_address.size() != ETH_ALEN) {
+ return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
+ }
const u8 *peer = mac_address.data();
if (wpa_tdls_is_external_setup(wpa_s->wpa)) {
ret = wpa_tdls_send_discovery_request(wpa_s->wpa, peer);
@@ -1003,6 +1006,9 @@
{
struct wpa_supplicant *wpa_s = retrieveIfacePtr();
int ret;
+ if (mac_address.size() != ETH_ALEN) {
+ return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
+ }
const u8 *peer = mac_address.data();
if (wpa_tdls_is_external_setup(wpa_s->wpa) &&
!(wpa_s->conf->tdls_external_control)) {
@@ -1022,6 +1028,9 @@
{
struct wpa_supplicant *wpa_s = retrieveIfacePtr();
int ret;
+ if (mac_address.size() != ETH_ALEN) {
+ return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
+ }
const u8 *peer = mac_address.data();
if (wpa_tdls_is_external_setup(wpa_s->wpa) &&
!(wpa_s->conf->tdls_external_control)) {
@@ -1058,6 +1067,9 @@
static_cast<std::underlying_type<
Hs20AnqpSubtypes>::type>(type));
}
+ if (mac_address.size() != ETH_ALEN) {
+ return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
+ }
if (anqp_send_req(
wpa_s, mac_address.data(), 0, info_elems_buf, num_info_elems,
@@ -1072,6 +1084,9 @@
{
struct wpa_supplicant *wpa_s = retrieveIfacePtr();
uint16_t info_elems_buf[1] = {ANQP_VENUE_URL};
+ if (mac_address.size() != ETH_ALEN) {
+ return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
+ }
if (anqp_send_req(
wpa_s, mac_address.data(), 0, info_elems_buf, 1, 0, 0)) {
@@ -1084,6 +1099,9 @@
const std::vector<uint8_t> &mac_address, const std::string &file_name)
{
struct wpa_supplicant *wpa_s = retrieveIfacePtr();
+ if (mac_address.size() != ETH_ALEN) {
+ return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
+ }
wpa_s->fetch_osu_icon_in_progress = 0;
if (hs20_anqp_send_req(
wpa_s, mac_address.data(), BIT(HS20_STYPE_ICON_REQUEST),
@@ -1185,6 +1203,10 @@
const std::vector<uint8_t> &code)
{
struct wpa_supplicant *wpa_s = retrieveIfacePtr();
+ //2-Character alphanumeric country code
+ if (code.size() != 2) {
+ return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
+ }
ndk::ScopedAStatus status = doOneArgDriverCommand(
wpa_s, kSetCountryCode,
std::string(std::begin(code), std::end(code)));
@@ -1206,6 +1228,9 @@
const std::vector<uint8_t> &bssid, const std::string &pin)
{
struct wpa_supplicant *wpa_s = retrieveIfacePtr();
+ if (bssid.size() != ETH_ALEN) {
+ return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
+ }
if (wpas_wps_start_reg(wpa_s, bssid.data(), pin.c_str(), nullptr)) {
return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
}
@@ -1216,6 +1241,9 @@
const std::vector<uint8_t> &bssid)
{
struct wpa_supplicant *wpa_s = retrieveIfacePtr();
+ if (bssid.size() != ETH_ALEN) {
+ return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
+ }
const uint8_t *bssid_addr =
is_zero_ether_addr(bssid.data()) ? nullptr : bssid.data();
if (wpas_wps_start_pbc(wpa_s, bssid_addr, 0, 0)) {
@@ -1238,6 +1266,9 @@
const std::vector<uint8_t> &bssid)
{
struct wpa_supplicant *wpa_s = retrieveIfacePtr();
+ if (bssid.size() != ETH_ALEN) {
+ return {"", createStatus(SupplicantStatusCode::FAILURE_UNKNOWN)};
+ }
const uint8_t *bssid_addr =
is_zero_ether_addr(bssid.data()) ? nullptr : bssid.data();
int pin =
@@ -1609,6 +1640,9 @@
}
cmd += " chan=" + listen_channel_str;
+ if (mac_address.size() != ETH_ALEN) {
+ return {bootstrap_info, createStatus(SupplicantStatusCode::FAILURE_UNKNOWN)};
+ }
cmd += " mac=";
for (int i = 0;i < 6;i++) {
snprintf(buf, sizeof(buf), "%02x", mac_address[i]);