Fix a TOCTOU and symlink attack in netd.

bug: 7530471 Change-Id: Id2c445449c9abffbb00c774f180ec7f561570cb2

Fix a TOCTOU and symlink attack in netd.
bug: 7530471 Change-Id: Id2c445449c9abffbb00c774f180ec7f561570cb2
41426998 · Robert Greenwalt · 1babab9f · 41426998
Commit 41426998 authored 12 years ago by Robert Greenwalt
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 4 deletions

SoftapController.cpp SoftapController.cpp +6 -4

No files found.
--- a/SoftapController.cpp
+++ b/SoftapController.cpp
@@ -309,7 +309,7 @@ int SoftapController::setSoftap(int argc, char *argv[]) {
        asprintf(&fbuf, "%s", wbuf);
    }

-    fd = open(HOSTAPD_CONF_FILE, O_CREAT | O_TRUNC | O_WRONLY, 0660);
+    fd = open(HOSTAPD_CONF_FILE, O_CREAT | O_TRUNC | O_WRONLY | O_NOFOLLOW, 0660);
    if (fd < 0) {
        LOGE("Cannot update \"%s\": %s", HOSTAPD_CONF_FILE, strerror(errno));
        free(wbuf);
@@ -320,25 +320,27 @@ int SoftapController::setSoftap(int argc, char *argv[]) {
        LOGE("Cannot write to \"%s\": %s", HOSTAPD_CONF_FILE, strerror(errno));
        ret = -1;
    }
-    close(fd);
    free(wbuf);
    free(fbuf);

    /* Note: apparently open can fail to set permissions correctly at times */
-    if (chmod(HOSTAPD_CONF_FILE, 0660) < 0) {
+    if (fchmod(fd, 0660) < 0) {
        LOGE("Error changing permissions of %s to 0660: %s",
                HOSTAPD_CONF_FILE, strerror(errno));
+        close(fd);
        unlink(HOSTAPD_CONF_FILE);
        return -1;
    }

-    if (chown(HOSTAPD_CONF_FILE, AID_SYSTEM, AID_WIFI) < 0) {
+    if (fchown(fd, AID_SYSTEM, AID_WIFI) < 0) {
        LOGE("Error changing group ownership of %s to %d: %s",
                HOSTAPD_CONF_FILE, AID_WIFI, strerror(errno));
+        close(fd);
        unlink(HOSTAPD_CONF_FILE);
        return -1;
    }

+    close(fd);
 #else
    /* Create command line */
    i = addParam(i, "ASCII_CMD", "AP_CFG");