fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-01-05 04:30:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

supplicant: properly validate blobs

Browse source 
The purpose of the validation is to check that we pass to the
supplicant a configuration that it can understand. For certificates
and keys we enforce a maximum length of 64KiB; that means that the
value of the property we send (i.e. the file path or the blob id) can
be at most 64KiB. Instead we wrongly checked the size of the blob
data.

Fix the validation. Also, enforce a maximum blob size of 32MiB.

Fixes: e85cc46d0b ('core: pass certificates as blobs to supplicant for private connections')
This commit is contained in:
Beniamino Galvani 2025-12-19 17:50:15 +01:00
parent 91f5fec396
commit d799af33ec
1 changed files with 15 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
src/core/supplicant/nm-supplicant-config.c
View file

@ -206,20 +206,30 @@ nm_supplicant_config_add_blob(NMSupplicantConfig *self,
ConfigOption *old_opt;
ConfigOption *opt;
NMSupplOptType type;
const guint8 *data;
gsize data_len;
gs_free char *full_value = NULL;
g_return_val_if_fail(NM_IS_SUPPLICANT_CONFIG(self), FALSE);
g_return_val_if_fail(key != NULL, FALSE);
g_return_val_if_fail(value != NULL, FALSE);
g_return_val_if_fail(blobid != NULL, FALSE);
data = g_bytes_get_data(value, &data_len);
g_bytes_get_data(value, &data_len);
g_return_val_if_fail(data_len > 0, FALSE);
priv = NM_SUPPLICANT_CONFIG_GET_PRIVATE(self);
if (data_len > 32 * 1024 * 1024) {
g_set_error(error,
NM_SUPPLICANT_ERROR,
NM_SUPPLICANT_ERROR_CONFIG,
"blob '%s' is larger than 32MiB",
key);
return FALSE;
}
type = nm_supplicant_settings_verify_setting(key, (const char *) data, data_len);
priv = NM_SUPPLICANT_CONFIG_GET_PRIVATE(self);
full_value = g_strdup_printf("blob://%s", blobid);
type = nm_supplicant_settings_verify_setting(key, full_value, strlen(full_value));
if (type == NM_SUPPL_OPT_TYPE_INVALID) {
g_set_error(error,
NM_SUPPLICANT_ERROR,
@ -240,7 +250,7 @@ nm_supplicant_config_add_blob(NMSupplicantConfig *self,
}
opt = g_slice_new0(ConfigOption);
opt->value = g_strdup_printf("blob://%s", blobid);
opt->value = g_steal_pointer(&full_value);
opt->len = strlen(opt->value);
opt->type = type;