WPS UPnP: Fix event message generation using a long URL path

More than about 700 character URL ended up overflowing the wpabuf used
for building the event notification and this resulted in the wpabuf
buffer overflow checks terminating the hostapd process. Fix this by
allocating the buffer to be large enough to contain the full URL path.
However, since that around 700 character limit has been the practical
limit for more than ten years, start explicitly enforcing that as the
limit or the callback URLs since any longer ones had not worked before
and there is no need to enable them now either.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2020-06-03 22:41:02 +03:00 committed by Jouni Malinen
parent 5b78c8f961
commit f7d268864a
2 changed files with 9 additions and 3 deletions

View file

@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
int rerr; int rerr;
size_t host_len, path_len; size_t host_len, path_len;
/* url MUST begin with http: */ /* URL MUST begin with HTTP scheme. In addition, limit the length of
if (url_len < 7 || os_strncasecmp(url, "http://", 7)) * the URL to 700 characters which is around the limit that was
* implicitly enforced for more than 10 years due to a bug in
* generating the event messages. */
if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
goto fail; goto fail;
}
url += 7; url += 7;
url_len -= 7; url_len -= 7;

View file

@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
struct wpabuf *buf; struct wpabuf *buf;
char *b; char *b;
buf = wpabuf_alloc(1000 + wpabuf_len(e->data)); buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
wpabuf_len(e->data));
if (buf == NULL) if (buf == NULL)
return NULL; return NULL;
wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path); wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);