Add sanity check for mac address & WPS device type
A bunch of Security Report bug fixes.
Added sanity check for mac address length in p2p and
SoftAp functions in supplicant/hostapd AIDL implementation.
Also added sanity check for WPS device type length in
setWpsDeviceType() function.
Checks are added to avoid out of bound read operation in core supplicant/
hostapd code.
Bug: 257029326
Bug: 257029925
Bug: 256818945
Bug: 257030100
Bug: 257030027
Bug: 257029965
Bug: 257029915
Bug: 257029912
Bug: 257029780
Bug: 257029812
Test: Manual - P2P & SoftAp connect/disconnect tests
Change-Id: I2ddd4dea01ac03bd379b465f814e5f8c39cc02a9
Merged-In: I2ddd4dea01ac03bd379b465f814e5f8c39cc02a9
(cherry picked from commit 1a360898757d3bd1a7c3714b1ee51d702057c9b9)
diff --git a/hostapd/aidl/hostapd.cpp b/hostapd/aidl/hostapd.cpp
index 11d1290..3e9f0f1 100644
--- a/hostapd/aidl/hostapd.cpp
+++ b/hostapd/aidl/hostapd.cpp
@@ -701,6 +701,9 @@
const std::vector<uint8_t>& client_address,
const uint16_t reason_code) {
struct sta_info *sta;
+ if (client_address.size() != ETH_ALEN) {
+ return false;
+ }
for (sta = hapd->sta_list; sta; sta = sta->next) {
int res;
res = memcmp(sta->addr, client_address.data(), ETH_ALEN);
diff --git a/wpa_supplicant/aidl/p2p_iface.cpp b/wpa_supplicant/aidl/p2p_iface.cpp
index 06c4545..e7e2bf5 100644
--- a/wpa_supplicant/aidl/p2p_iface.cpp
+++ b/wpa_supplicant/aidl/p2p_iface.cpp
@@ -1289,6 +1289,9 @@
if (go_intent > 15) {
return {"", createStatus(SupplicantStatusCode::FAILURE_ARGS_INVALID)};
}
+ if (peer_address.size() != ETH_ALEN) {
+ return {"", createStatus(SupplicantStatusCode::FAILURE_ARGS_INVALID)};
+ }
int go_intent_signed = join_existing_group ? -1 : go_intent;
p2p_wps_method wps_method = {};
switch (provision_method) {
@@ -1384,6 +1387,9 @@
if (wpa_s->global->p2p_disabled || wpa_s->global->p2p == NULL) {
return createStatus(SupplicantStatusCode::FAILURE_IFACE_DISABLED);
}
+ if (peer_address.size() != ETH_ALEN) {
+ return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
+ }
if (wpas_p2p_reject(wpa_s, peer_address.data())) {
return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
}
@@ -1396,6 +1402,9 @@
const std::vector<uint8_t>& peer_address)
{
struct wpa_supplicant* wpa_s = retrieveIfacePtr();
+ if (peer_address.size() != ETH_ALEN) {
+ return {createStatus(SupplicantStatusCode::FAILURE_UNKNOWN)};
+ }
if (wpas_p2p_invite_group(
wpa_s, group_ifname.c_str(), peer_address.data(),
go_device_address.data(), is6GhzAllowed(wpa_s))) {
@@ -1417,6 +1426,9 @@
if (ssid == NULL || ssid->disabled != 2) {
return createStatus(SupplicantStatusCode::FAILURE_NETWORK_UNKNOWN);
}
+ if (peer_address.size() != ETH_ALEN) {
+ return {createStatus(SupplicantStatusCode::FAILURE_UNKNOWN)};
+ }
if (wpas_p2p_invite(
wpa_s, peer_address.data(), ssid, NULL, 0, 0, ht40, vht,
CHANWIDTH_USE_HT, 0, he, 0, is6GhzAllowed(wpa_s))) {
@@ -1580,6 +1592,9 @@
if (!query_buf) {
return {0, createStatus(SupplicantStatusCode::FAILURE_UNKNOWN)};
}
+ if (peer_address.size() != ETH_ALEN) {
+ return {0, createStatus(SupplicantStatusCode::FAILURE_UNKNOWN)};
+ }
const uint8_t* dst_addr = is_zero_ether_addr(peer_address.data())
? nullptr
: peer_address.data();
@@ -1626,6 +1641,9 @@
if (!wpa_group_s) {
return createStatus(SupplicantStatusCode::FAILURE_IFACE_UNKNOWN);
}
+ if (bssid.size() != ETH_ALEN) {
+ return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
+ }
const uint8_t* bssid_addr =
is_zero_ether_addr(bssid.data()) ? nullptr : bssid.data();
#ifdef CONFIG_AP
@@ -1674,6 +1692,9 @@
if (!wpa_group_s) {
return {"", createStatus(SupplicantStatusCode::FAILURE_IFACE_UNKNOWN)};
}
+ if (bssid.size() != ETH_ALEN) {
+ return {"", createStatus(SupplicantStatusCode::FAILURE_UNKNOWN)};
+ }
const uint8_t* bssid_addr =
is_zero_ether_addr(bssid.data()) ? nullptr : bssid.data();
int pin = wpas_wps_start_pin(
@@ -1706,6 +1727,9 @@
const std::vector<uint8_t>& type)
{
std::array<uint8_t, 8> type_arr;
+ if (type.size() != 8) {
+ return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
+ }
std::copy_n(type.begin(), 8, type_arr.begin());
return iface_config_utils::setWpsDeviceType(retrieveIfacePtr(), type_arr);
}
@@ -2093,6 +2117,9 @@
const std::vector<uint8_t>& peer_address, bool isLegacyClient)
{
struct wpa_supplicant* wpa_s = retrieveIfacePtr();
+ if (peer_address.size() != ETH_ALEN) {
+ return createStatus(SupplicantStatusCode::FAILURE_UNKNOWN);
+ }
wpas_p2p_remove_client(wpa_s, peer_address.data(), isLegacyClient? 1 : 0);
return ndk::ScopedAStatus::ok();
}