merge: branch 'bg/supplicant-blob-size'

supplicant: properly validate blobs https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2334
2025-12-20 07:00:05 +01:00 · 2025-12-19 17:09:47 +00:00 · 2025-12-19 17:09:47 +00:00 · 18480300c7
commit 18480300c7
parent a31a644f8b d799af33ec
2 changed files with 23 additions and 5 deletions
--- a/src/core/nm-core-utils.c
+++ b/src/core/nm-core-utils.c
@ -5163,6 +5163,14 @@ helper_have_data(int fd, GIOCondition condition, gpointer user_data)
    n_read = nm_utils_fd_read(fd, &info->in_buffer);
    _LOG2T(info, "read returns %ld", (long) n_read);

+    if (info->in_buffer.len > 32 * 1024 * 1024) {
+        helper_complete(info,
+                        g_error_new_literal(NM_UTILS_ERROR,
+                                            NM_UTILS_ERROR_UNKNOWN,
+                                            "the output is larger than 32MiB"));
+        return G_SOURCE_CONTINUE;
+    }
+
    if (n_read > 0)
        return G_SOURCE_CONTINUE;

--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@ -206,20 +206,30 @@ nm_supplicant_config_add_blob(NMSupplicantConfig *self,
    ConfigOption              *old_opt;
    ConfigOption              *opt;
    NMSupplOptType             type;
-    const guint8              *data;
    gsize                      data_len;
+    gs_free char              *full_value = NULL;

    g_return_val_if_fail(NM_IS_SUPPLICANT_CONFIG(self), FALSE);
    g_return_val_if_fail(key != NULL, FALSE);
    g_return_val_if_fail(value != NULL, FALSE);
    g_return_val_if_fail(blobid != NULL, FALSE);

-    data = g_bytes_get_data(value, &data_len);
+    g_bytes_get_data(value, &data_len);
    g_return_val_if_fail(data_len > 0, FALSE);

-    priv = NM_SUPPLICANT_CONFIG_GET_PRIVATE(self);
+    if (data_len > 32 * 1024 * 1024) {
+        g_set_error(error,
+                    NM_SUPPLICANT_ERROR,
+                    NM_SUPPLICANT_ERROR_CONFIG,
+                    "blob '%s' is larger than 32MiB",
+                    key);
+        return FALSE;
+    }

-    type = nm_supplicant_settings_verify_setting(key, (const char *) data, data_len);
+    priv       = NM_SUPPLICANT_CONFIG_GET_PRIVATE(self);
+    full_value = g_strdup_printf("blob://%s", blobid);
+
+    type = nm_supplicant_settings_verify_setting(key, full_value, strlen(full_value));
    if (type == NM_SUPPL_OPT_TYPE_INVALID) {
        g_set_error(error,
                    NM_SUPPLICANT_ERROR,
@ -240,7 +250,7 @@ nm_supplicant_config_add_blob(NMSupplicantConfig *self,
    }

    opt        = g_slice_new0(ConfigOption);
-    opt->value = g_strdup_printf("blob://%s", blobid);
+    opt->value = g_steal_pointer(&full_value);
    opt->len   = strlen(opt->value);
    opt->type  = type;