From patchwork Tue Feb 27 13:31:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Chien Wong X-Patchwork-Id: 1905054 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=CAMIvoc8; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=xv97.com header.i=m@xv97.com header.a=rsa-sha256 header.s=zmail header.b=JrzMe8ip; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Tkdgt2tSVz1yX0 for ; Wed, 28 Feb 2024 00:32:10 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:From:To:MIME-Version:Date:Message-ID:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=X9+DKJjxi9kqw+5Wz0uCzCKAivMH6IDTus1gXonYaCc=; b=CAM Ivoc8n0+JFIuPAsN7yl2TrkFYM/+pPCsjjm0RiuVJ4UEKHFOE0Q3qAhfYmKlmUbGeboDOwzKGXfRO LBIGdQBl4iqrFih63aBzJ1vWPeGvG4P3q0GDyej2981KhJi7L33aFAmOyvc+AyCZa19kFsWl3Lcp1 Yh3ghsivs7Qz4ycQGCneLzf7qSU+OiKXNYNxM6nQvaKa8ahByJi1pgsdfzRxuoO9eBZMztbIjQK3y MSv6dK0zh/UnKu1hkXiKELQ1ZO5i3nRSWFEOHIIuExhka2TSCA2x7rVh+qNwTT1ebMyxfqE+QoprL yM4QGRrmNWNHAADmBOiroE2Am6VPetA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rexYX-00000005OAP-0wWr; Tue, 27 Feb 2024 13:31:37 +0000 Received: from sender4-op-o15.zoho.com ([136.143.188.15]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rexYS-00000005O8e-2Uma for hostap@lists.infradead.org; Tue, 27 Feb 2024 13:31:35 +0000 ARC-Seal: i=1; a=rsa-sha256; t=1709040687; cv=none; d=zohomail.com; s=zohoarc; b=ZEh5MQcjRDymXrx3FTvFJJYetAfwWFOrpGzglfH1o3KM3pHUY9epttJo8FKxViuDFndt9n0sZNUb9mgKohNJ51jyy3EaZuYWk+Zw+BFb9eN4Ci+ojOaEKV2NEM+V9lfyB5NIhCE5qOCtuGbHSE0h/fjwHMPSBvPV+YmkAQccz3s= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1709040687; h=Content-Type:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To:Cc; bh=PORG6UYxDzDhhYvdL3DLJRyFd/eTGzeIyz9rcBmhJWk=; b=WMtu7YxKU8FZfgu0/kJtscoAB0f/eLkZG4jvMm6SnnCbBkj7r69RZheD9O6+QJSFO7/6w34wu232+voA+vKI++wbDBVkvNPAZojdiBS2nyAHejbniyuyPCUVT4KCCfXg2rpBwbaVh0GO9Ms6hCPlt7bXw9dpP9XHbr8WKtuZFOo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=xv97.com; spf=pass smtp.mailfrom=m@xv97.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1709040687; s=zmail; d=xv97.com; i=m@xv97.com; h=Message-ID:Date:Date:MIME-Version:To:To:From:From:Subject:Subject:Content-Type:Message-Id:Reply-To:Cc; bh=PORG6UYxDzDhhYvdL3DLJRyFd/eTGzeIyz9rcBmhJWk=; b=JrzMe8ipl0IbzlaYZNpUtVaH8727lGG4XKknNNRMdZVbY4ZG6RmAkgKyaPHeStB4 aqXOK91S10WBxvYclixykZ6PCv5jimaFW4iN1x1/j16k3oHJGSMelWqsF2eBO8BbtKl NqSkSwvMp5eQPFI3cu7HaEPM6jV3i2AU4uD5Yqv8= Received: from [10.89.0.238] (61-216-121-34.hinet-ip.hinet.net [61.216.121.34]) by mx.zohomail.com with SMTPS id 17090406843169.953386946826413; Tue, 27 Feb 2024 05:31:24 -0800 (PST) Message-ID: <987cac1e-c2ea-4eaa-be2e-2345f961bbdd@xv97.com> Date: Tue, 27 Feb 2024 21:31:19 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: hostap@lists.infradead.org Content-Language: en-US From: Chien Wong Subject: [PATCH] wpa_supplicant: Fix mixing enum and int type in config parser Autocrypt: addr=m@xv97.com; keydata= xjMEYrGw+RYJKwYBBAHaRw8BAQdAYXRqCQnACPka63iaZ2Lc9u8qPBNaxew6PdbvpuPvkIXN F0NoaWVuIFdvbmcgPG1AeHY5Ny5jb20+wpYEExYIAD4WIQRhWIfCT4U86RkflE5cpYo5+kEi rQUCYrGw+QIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBcpYo5+kEirQtx AP4uJuD0ufTDXmEotuOUiI+86qWvc3jNsUhWYW8wHN8zEgD8Dli09jo/TsTlfWIXWjIs/6Pp b96j9fho6xNpETu8ZgnOOARisbD5EgorBgEEAZdVAQUBAQdArBbkcgnrIZ6XnmGUAA9XYA+i tf8afTv75UGa2c0YkwoDAQgHwn4EGBYIACYWIQRhWIfCT4U86RkflE5cpYo5+kEirQUCYrGw +QIbDAUJEswDAAAKCRBcpYo5+kEircrLAQC/yXFAHzoG9bnsw+hsiVfEbYMa04UiDEFkTd9Q kA+I2gD/VCzYkTizWTiXsbcGhB05Q+mI5tX+ehhtpcrIAaBxnA8= X-Zoho-Virus-Status: 1 X-Zoho-AV-Stamp: zmail-av-1.1.0/209.33.8 X-ZohoMailClient: External X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240227_053132_892661_F77987BA X-CRM114-Status: GOOD ( 23.68 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi, everyone The problem addressed by the patch is straightforward: within wpa_supplicant/config.c, there are two tables, ssid_fields[] and global_fields[], utilized for parsing configuration files. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [136.143.188.15 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 ARC_SIGNED Message has a ARC signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 ARC_VALID Message has a valid ARC signature 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [136.143.188.15 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders -0.0 T_SCC_BODY_TEXT_LINE No description available. X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Hi, everyone The problem addressed by the patch is straightforward: within wpa_supplicant/config.c, there are two tables, ssid_fields[] and global_fields[], utilized for parsing configuration files. These tables contain information such as configuration names, parsers, member offsets in the structure, and so on. Upon investigation, it was discovered that numerous enum members are being parsed by int parser, which may lead to potential bugs. Enums can differ in size from ints, potentially resulting in corruption of the relevant structure. This patch seeks advice on a potential solution. While the current approach may not be optimal, adding something like ENUM(), ENUM_RANGE() to parse the enums could be an alternative. From ec2fc4565da50ee7a140087ba91a7f3dba325a45 Mon Sep 17 00:00:00 2001 From: Chien Wong Date: Mon, 26 Feb 2024 22:08:56 +0800 Subject: [PATCH] wpa_supplicant: Fix mixing enum and int type in config parser Currently, many enum members are handled as ints in the config parser. C does not guarantee enum and int are of the same size. What's worse, when -fshort-enums is enabled on GCC, enum can be as short as char. If sizeof(enum) < sizeof(int), buffer overflow will occur when parsing config. Fix this by changing related enum members to ints. Signed-off-by: Chien Wong ---  wpa_supplicant/config.h      | 98 ++++++++++++++++++++++--------------  wpa_supplicant/config_ssid.h | 31 +++++++++---  2 files changed, 83 insertions(+), 46 deletions(-)  struct wpa_ssid {      /** @@ -423,6 +426,8 @@ struct wpa_ssid {      /**       * mode - IEEE 802.11 operation mode (Infrastucture/IBSS)       * +     * Enumerations are defined in enum wpas_mode. +     *       * 0 = infrastructure (Managed) mode, i.e., associate with an AP.       *       * 1 = IBSS (ad-hoc, peer-to-peer) @@ -444,7 +449,7 @@ struct wpa_ssid {       * CCMP, but not both), and psk must also be set (either directly or       * using ASCII passphrase).       */ -    enum wpas_mode mode; +    int mode;      /**       * pbss - Whether to use PBSS. Relevant to DMG networks only. @@ -490,6 +495,8 @@ struct wpa_ssid {      /**       * ieee80211w - Whether management frame protection is enabled       * +     * Enumerations are defined in enum mfp_options. +     *       * This value is used to configure policy for management frame       * protection (IEEE 802.11w). 0 = disabled, 1 = optional, 2 = required.       * This is disabled by default unless the default value has been changed @@ -499,7 +506,7 @@ struct wpa_ssid {       * was not specified in the configuration (i.e., default behavior is       * followed).       */ -    enum mfp_options ieee80211w; +    int ieee80211w;  #ifdef CONFIG_OCV      /** @@ -586,7 +593,12 @@ struct wpa_ssid {      int eht; -    enum oper_chan_width max_oper_chwidth; +    /** +     * Maximum oper channel width +     * +     * Enumerations are defined in enum oper_chan_width. +     */ +    int max_oper_chwidth;      unsigned int vht_center_freq1;      unsigned int vht_center_freq2; @@ -605,12 +617,13 @@ struct wpa_ssid {       * broken implementations and should be avoided when using or       * interacting with one.       * +     * Enumerations are defined in enum ptk0_rekey_handling.       * 0 = always rekey when configured/instructed       * 1 = only rekey when the local driver is explicitly indicating it can       *    perform this operation without issues       * 2 = never allow PTK0 rekeys       */ -    enum ptk0_rekey_handling wpa_deny_ptk0_rekey; +    int wpa_deny_ptk0_rekey;      /**       * group_rekey - Group rekeying time in seconds @@ -1008,6 +1021,7 @@ struct wpa_ssid {      /**       * mac_addr - MAC address policy       * +     * Enumerations are defined in enum wpas_mac_addr_style.       * 0 = use permanent MAC address       * 1 = use random MAC address for each ESS connection       * 2 = like 1, but maintain OUI (with local admin bit set) @@ -1017,7 +1031,7 @@ struct wpa_ssid {       * was not specified in the configuration (i.e., default behavior is       * followed).       */ -    enum wpas_mac_addr_style mac_addr; +    int mac_addr;      /**       * mac_value - Specific MAC address to be used @@ -1217,13 +1231,15 @@ struct wpa_ssid {      /**       * sae_pk - SAE-PK mode +     * +     * Enumerations are defined in enum sae_pk_mode.       * 0 = automatic SAE/SAE-PK selection based on password; enable       * transition mode (allow SAE authentication without SAE-PK)       * 1 = SAE-PK only (disable transition mode; allow SAE authentication       * only with SAE-PK)       * 2 = disable SAE-PK (allow SAE authentication only without SAE-PK)       */ -    enum sae_pk_mode sae_pk; +    int sae_pk;      /**       * was_recently_reconfigured - Whether this SSID config has been changed @@ -1241,11 +1257,12 @@ struct wpa_ssid {       * that the parameter is not set and the global sae_pwe value needs to       * be considered.       * +     * Enumerations are defined in enum sae_pwe.       * 0 = hunting-and-pecking loop only       * 1 = hash-to-element only       * 2 = both hunting-and-pecking loop and hash-to-element enabled       */ -    enum sae_pwe sae_pwe; +    int sae_pwe;      /**       * disable_eht - Disable EHT (IEEE 802.11be) for this network diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h index 8981305c2..994a85489 100644 --- a/wpa_supplicant/config.h +++ b/wpa_supplicant/config.h @@ -441,6 +441,45 @@ struct wpa_cred {  #define CFG_CHANGED_BGSCAN BIT(20)  #define CFG_CHANGED_FT_PREPEND_PMKID BIT(21) +/** + * p2p_go_freq_change_policy - The GO frequency change policy + * + * This controls the behavior of the GO when there is a change in the + * map of the currently used frequencies in case more than one channel + * is supported. + * + * @P2P_GO_FREQ_MOVE_SCM: Prefer working in a single channel mode if + * possible. In case the GO is the only interface using its frequency + * and there are other station interfaces on other frequencies, the GO + * will migrate to one of these frequencies. + * + * @P2P_GO_FREQ_MOVE_SCM_PEER_SUPPORTS: Same as P2P_GO_FREQ_MOVE_SCM, + * but a transition is possible only in case one of the other used + * frequencies is one of the frequencies in the intersection of the + * frequency list of the local device and the peer device. + * + * @P2P_GO_FREQ_MOVE_STAY: Prefer to stay on the current frequency. + * + * @P2P_GO_FREQ_MOVE_SCM_ECSA: Same as + * P2P_GO_FREQ_MOVE_SCM_PEER_SUPPORTS but a transition is possible only + * if all the group members advertise eCSA support. + */ +enum p2p_go_freq_change_policy { +    P2P_GO_FREQ_MOVE_SCM = 0, +    P2P_GO_FREQ_MOVE_SCM_PEER_SUPPORTS = 1, +    P2P_GO_FREQ_MOVE_STAY = 2, +    P2P_GO_FREQ_MOVE_SCM_ECSA = 3, +    P2P_GO_FREQ_MOVE_MAX = P2P_GO_FREQ_MOVE_SCM_ECSA, +}; + +enum mld_connect_band_pref { +    MLD_CONNECT_BAND_PREF_AUTO = 0, +    MLD_CONNECT_BAND_PREF_2GHZ = 1, +    MLD_CONNECT_BAND_PREF_5GHZ = 2, +    MLD_CONNECT_BAND_PREF_6GHZ = 3, +    MLD_CONNECT_BAND_PREF_MAX = 4, +}; +  /**   * struct wpa_config - wpa_supplicant configuration data   * @@ -448,6 +487,9 @@ struct wpa_cred {   * data. In many cases, there is only one struct wpa_config instance, but if   * more than one network interface is being controlled, one instance is used   * for each. + * + * Warning: Pay attention to using enums in the structure as treating enums as ints + * in the config parser could be dangerous if sizeof(enum) != sizeof(int).   */  struct wpa_config {      /** @@ -888,33 +930,9 @@ struct wpa_config {      /**       * p2p_go_freq_change_policy - The GO frequency change policy       * -     * This controls the behavior of the GO when there is a change in the -     * map of the currently used frequencies in case more than one channel -     * is supported. -     * -     * @P2P_GO_FREQ_MOVE_SCM: Prefer working in a single channel mode if -     * possible. In case the GO is the only interface using its frequency -     * and there are other station interfaces on other frequencies, the GO -     * will migrate to one of these frequencies. -     * -     * @P2P_GO_FREQ_MOVE_SCM_PEER_SUPPORTS: Same as P2P_GO_FREQ_MOVE_SCM, -     * but a transition is possible only in case one of the other used -     * frequencies is one of the frequencies in the intersection of the -     * frequency list of the local device and the peer device. -     * -     * @P2P_GO_FREQ_MOVE_STAY: Prefer to stay on the current frequency. -     * -     * @P2P_GO_FREQ_MOVE_SCM_ECSA: Same as -     * P2P_GO_FREQ_MOVE_SCM_PEER_SUPPORTS but a transition is possible only -     * if all the group members advertise eCSA support. +     * Enumerations are defined in enum p2p_go_freq_change_policy.       */ -    enum { -        P2P_GO_FREQ_MOVE_SCM = 0, -        P2P_GO_FREQ_MOVE_SCM_PEER_SUPPORTS = 1, -        P2P_GO_FREQ_MOVE_STAY = 2, -        P2P_GO_FREQ_MOVE_SCM_ECSA = 3, -        P2P_GO_FREQ_MOVE_MAX = P2P_GO_FREQ_MOVE_SCM_ECSA, -    } p2p_go_freq_change_policy; +    int p2p_go_freq_change_policy;  #define DEFAULT_P2P_GO_FREQ_MOVE P2P_GO_FREQ_MOVE_STAY @@ -1261,12 +1279,13 @@ struct wpa_config {      /**       * pmf - Whether to enable/require PMF by default       * +     * Enumerations are defined in enum mfp_options.       * By default, PMF is disabled unless enabled by the per-network       * ieee80211w=1 or ieee80211w=2 parameter. pmf=1/2 can be used to change       * this default behavior for RSN network (this is not applicable for       * non-RSN cases).       */ -    enum mfp_options pmf; +    int pmf;      /**       * sae_check_mfp - Whether to limit SAE based on PMF capabilities @@ -1299,11 +1318,12 @@ struct wpa_config {      /**       * sae_pwe - SAE mechanism for PWE derivation +     * Enumerations are defined in enum sae_pwe.       * 0 = hunting-and-pecking loop only       * 1 = hash-to-element only       * 2 = both hunting-and-pecking loop and hash-to-element enabled       */ -    enum sae_pwe sae_pwe; +    int sae_pwe;      /**       * sae_pmkid_in_assoc - Whether to include PMKID in SAE Assoc Req @@ -1415,6 +1435,7 @@ struct wpa_config {      /**       * mac_addr - MAC address policy default       * +     * Enumerations are defined in enum wpas_mac_addr_style.       * 0 = use permanent MAC address       * 1 = use random MAC address for each ESS connection       * 2 = like 1, but maintain OUI (with local admin bit set) @@ -1423,7 +1444,7 @@ struct wpa_config {       * the per-network mac_addr parameter. Global mac_addr=1 can be used to       * change this default behavior.       */ -    enum wpas_mac_addr_style mac_addr; +    int mac_addr;      /**       * rand_addr_lifetime - Lifetime of random MAC address in seconds @@ -1433,11 +1454,12 @@ struct wpa_config {      /**       * preassoc_mac_addr - Pre-association MAC address policy       * +     * Enumerations are defined in enum wpas_mac_addr_style.       * 0 = use permanent MAC address       * 1 = use random MAC address       * 2 = like 1, but maintain OUI (with local admin bit set)       */ -    enum wpas_mac_addr_style preassoc_mac_addr; +    int preassoc_mac_addr;      /**       * key_mgmt_offload - Use key management offload @@ -1573,8 +1595,10 @@ struct wpa_config {      /**       * mbo_cell_capa - Cellular capabilities for MBO +     * +     * Enumerations are defined in enum mbo_cellular_capa.       */ -    enum mbo_cellular_capa mbo_cell_capa; +    int mbo_cell_capa;      /**       * disassoc_imminent_rssi_threshold - RSSI threshold of candidate AP @@ -1635,11 +1659,12 @@ struct wpa_config {      /**       * gas_rand_mac_addr - GAS MAC address policy       * +     * Enumerations are defined in enum wpas_mac_addr_style.       * 0 = use permanent MAC address       * 1 = use random MAC address       * 2 = like 1, but maintain OUI (with local admin bit set)       */ -    enum wpas_mac_addr_style gas_rand_mac_addr; +    int gas_rand_mac_addr;      /**       * dpp_config_processing - How to process DPP configuration @@ -1789,13 +1814,8 @@ struct wpa_config {  #endif /* CONFIG_PASN*/  #ifdef CONFIG_TESTING_OPTIONS -    enum { -        MLD_CONNECT_BAND_PREF_AUTO = 0, -        MLD_CONNECT_BAND_PREF_2GHZ = 1, -        MLD_CONNECT_BAND_PREF_5GHZ = 2, -        MLD_CONNECT_BAND_PREF_6GHZ = 3, -        MLD_CONNECT_BAND_PREF_MAX = 4, -    }  mld_connect_band_pref; +    /* Enumerations are defined in enum mld_connect_band_pref. */ +    int mld_connect_band_pref;      u8 mld_connect_bssid_pref[ETH_ALEN]; diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h index ff045380e..b786e7f91 100644 --- a/wpa_supplicant/config_ssid.h +++ b/wpa_supplicant/config_ssid.h @@ -86,6 +86,9 @@ enum wpas_mac_addr_style {   * data is included in the per-interface configuration data as an element of   * the network list, struct wpa_config::ssid. Each network block in the   * configuration is mapped to a struct wpa_ssid instance. + * + * Warning: Pay attention to using enums in the structure as treating enums as ints + * in the config parser could be dangerous if sizeof(enum) != sizeof(int).   */