fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-06-19 08:58:28 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

supplicant: properly validate blobs

Browse source 
The purpose of the validation is to check that we pass to the
supplicant a configuration that it can understand. For certificates
and keys we enforce a maximum length of 64KiB; that means that the
value of the property we send (i.e. the file path or the blob id) can
be at most 64KiB. Instead we wrongly checked the size of the blob
data.

Fix the validation. Also, enforce a maximum blob size of 32MiB.

Fixes: e85cc46d0b ('core: pass certificates as blobs to supplicant for private connections')
(cherry picked from commit eb784c3f27)
This commit is contained in:
Beniamino Galvani 2025-12-19 17:50:15 +01:00
parent 258686968f
commit 7575117ab5
1 changed files with 15 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
src/core/supplicant/nm-supplicant-config.c
View file

@ -206,20 +206,30 @@ nm_supplicant_config_add_blob(NMSupplicantConfig *self,
ConfigOption *old_opt;
ConfigOption *opt;
NMSupplOptType type;
const guint8 *data;
gsize data_len;
gs_free char *full_value = NULL;
g_return_val_if_fail(NM_IS_SUPPLICANT_CONFIG(self), FALSE);
g_return_val_if_fail(key != NULL, FALSE);
g_return_val_if_fail(value != NULL, FALSE);
g_return_val_if_fail(blobid != NULL, FALSE);
data = g_bytes_get_data(value, &data_len);
g_bytes_get_data(value, &data_len);
g_return_val_if_fail(data_len > 0, FALSE);
priv = NM_SUPPLICANT_CONFIG_GET_PRIVATE(self);
if (data_len > 32 * 1024 * 1024) {
g_set_error(error,
NM_SUPPLICANT_ERROR,
NM_SUPPLICANT_ERROR_CONFIG,
"blob '%s' is larger than 32MiB",
key);
return FALSE;
}
type = nm_supplicant_settings_verify_setting(key, (const char *) data, data_len);
priv = NM_SUPPLICANT_CONFIG_GET_PRIVATE(self);
full_value = g_strdup_printf("blob://%s", blobid);
type = nm_supplicant_settings_verify_setting(key, full_value, strlen(full_value));
if (type == NM_SUPPL_OPT_TYPE_INVALID) {
g_set_error(error,
NM_SUPPLICANT_ERROR,
@ -240,7 +250,7 @@ nm_supplicant_config_add_blob(NMSupplicantConfig *self,
}
opt = g_slice_new0(ConfigOption);
opt->value = g_strdup_printf("blob://%s", blobid);
opt->value = g_steal_pointer(&full_value);
opt->len = strlen(opt->value);
opt->type = type;