b686745c76
The Android-specific chmod and chown operations on the client socket (for communication with wpa_supplicant) did not protect against file replacement between the bind() and chmod()/chown() calls. If the directory in which the client socket is created (depends a bit on the version and platform, but /data/misc/wifi/sockets is commonly used) allows write access to processes that are different (less privileged) compared to the process calling wpa_ctrl_open2(), it might be possible to delete the socket file and replace it with something else (mainly, a symlink) before the chmod/chown operations occur. This could have resulted in the owner or permissions of the target of that symlink being modified. In general, it would be safest to use a directory which has more limited write privileges (/data/misc/wifi/sockets normally has 'wifi' group (AID_WIFI) with write access), but if that cannot be easily changed due to other constraints, it is better to make wpa_ctrl_open2() less likely to enable this type of race condition between the operations. Replace chown() with lchown() (i.e., a version that does not dereference symlinks) and chmod() with fchmod() on the socket before the bind() call which is also not going to dereference a symlink (whereas chmod() would). lchown() is a standard operation, but the fchmod() on the socket is less so (unspecified behavior in some systems). However, it seems to work on Linux and in particular, on Android, where this code is executed. Signed-off-by: Jouni Malinen <j@w1.fi> |
||
---|---|---|
.. | ||
cli.c | ||
cli.h | ||
common_module_tests.c | ||
ctrl_iface_common.c | ||
ctrl_iface_common.h | ||
defs.h | ||
dhcp.h | ||
dpp.c | ||
dpp.h | ||
eapol_common.h | ||
gas.c | ||
gas.h | ||
gas_server.c | ||
gas_server.h | ||
hw_features_common.c | ||
hw_features_common.h | ||
ieee802_1x_defs.h | ||
ieee802_11_common.c | ||
ieee802_11_common.h | ||
ieee802_11_defs.h | ||
linux_bridge.h | ||
linux_vlan.h | ||
Makefile | ||
ocv.c | ||
ocv.h | ||
privsep_commands.h | ||
qca-vendor-attr.h | ||
qca-vendor.h | ||
sae.c | ||
sae.h | ||
tnc.h | ||
version.h | ||
wpa_common.c | ||
wpa_common.h | ||
wpa_ctrl.c | ||
wpa_ctrl.h | ||
wpa_helpers.c | ||
wpa_helpers.h |