From: "Henryk Plötz" <henryk@ploetzli.ch>
To: bluez-devel@lists.sourceforge.net
Subject: Re: [Bluez-devel] Possible security vulnerability in hcid when calling pin helper
Date: Fri, 5 Aug 2005 06:39:27 +0200 [thread overview]
Message-ID: <20050805063927.3d714a89.henryk@ploetzli.ch> (raw)
In-Reply-To: <1123211794.8331.104.camel@pegasus>
[-- Attachment #1.1: Type: text/plain, Size: 781 bytes --]
Moin,
Am Fri, 05 Aug 2005 05:16:34 +0200 schrieb Marcel Holtmann:
> thanks for catching this problem. Do you have a fix for it?
Now I have, I think. Doing string escaping in C is really awkward, but
this patch should prefix all occurences of ", \, $ or ` in the name with
an \, and will also change the enclosing single quotes to double quotes
(because no escaping is possible in single quotes). There would also be
an alternative way to fix it: remove the popen() and instead do a
pipe()/fork()/dup2()/execv() combination. That should be more clean, but
likely more complicated.
--
Henryk Plötz
Grüße aus Berlin
~~~~~~~ Un-CDs, nein danke! http://www.heise.de/ct/cd-register/ ~~~~~~~
~ Help Microsoft fight software piracy: Give Linux to a friend today! ~
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: callpinhelper.patch --]
[-- Type: text/x-patch; name="callpinhelper.patch", Size: 1249 bytes --]
--- security.c.orig 2005-08-05 05:34:15.000000000 +0200
+++ security.c 2005-08-05 06:18:14.000000000 +0200
@@ -306,7 +306,7 @@ static void call_pin_helper(int dev, bda
{
pin_code_reply_cp pr;
struct sigaction sa;
- char addr[18], str[255], *pin, name[249];
+ char addr[18], str[255], *pin, name[249], escapename[498];
FILE *pipe;
int ret, len;
@@ -331,9 +331,28 @@ static void call_pin_helper(int dev, bda
read_device_name(sba, &ci->bdaddr, name);
//hci_remote_name(dev, &ci->bdaddr, sizeof(name), name, 0);
+ /* Escape special chars from the remote name */
+ {
+ char *src = name, *dest = escapename,
+ *end = name + sizeof(name) - 1;
+ while (src < end && *src != 0) {
+ switch(*src) {
+ case '\"': /* fall-through */
+ case '$':
+ case '`':
+ case '\\':
+ *dest++ = '\\';
+ default:
+ *dest++ = *src++;
+ }
+ }
+ *dest = 0;
+ }
+
ba2str(&ci->bdaddr, addr);
- snprintf(str, sizeof(str), "%s %s %s \'%s\'", hcid.pin_helper,
- ci->out ? "out" : "in", addr, name);
+ snprintf(str, sizeof(str), "%s %s %s \"%s\"", hcid.pin_helper,
+ ci->out ? "out" : "in", addr,
+ escapename);
setenv("PATH", "/bin:/usr/bin:/usr/local/bin", 1);
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2005-08-05 4:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-05 3:09 [Bluez-devel] Possible security vulnerability in hcid when calling pin helper Henryk Plötz
2005-08-05 3:16 ` Marcel Holtmann
2005-08-05 4:39 ` Henryk Plötz [this message]
2005-08-05 8:39 ` Marcel Holtmann
2005-08-05 11:06 ` Steven Singer
2005-08-05 11:12 ` Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050805063927.3d714a89.henryk@ploetzli.ch \
--to=henryk@ploetzli.ch \
--cc=bluez-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox