Fix a TOCTOU and symlink attack in netd.
Bug: 7530471
Change-Id: I01fc79d647831dea903e4b852b874eb7bbed25fb
diff --git a/SoftapController.cpp b/SoftapController.cpp
index c4dcc7f..5db8742 100644
--- a/SoftapController.cpp
+++ b/SoftapController.cpp
@@ -169,7 +169,7 @@
asprintf(&fbuf, "%s", wbuf);
}
- fd = open(HOSTAPD_CONF_FILE, O_CREAT | O_TRUNC | O_WRONLY, 0660);
+ fd = open(HOSTAPD_CONF_FILE, O_CREAT | O_TRUNC | O_WRONLY | O_NOFOLLOW , 0660);
if (fd < 0) {
ALOGE("Cannot update \"%s\": %s", HOSTAPD_CONF_FILE, strerror(errno));
free(wbuf);
@@ -180,25 +180,27 @@
ALOGE("Cannot write to \"%s\": %s", HOSTAPD_CONF_FILE, strerror(errno));
ret = -1;
}
- close(fd);
free(wbuf);
free(fbuf);
/* Note: apparently open can fail to set permissions correctly at times */
- if (chmod(HOSTAPD_CONF_FILE, 0660) < 0) {
+ if (fchmod(fd, 0660) < 0) {
ALOGE("Error changing permissions of %s to 0660: %s",
HOSTAPD_CONF_FILE, strerror(errno));
+ close(fd);
unlink(HOSTAPD_CONF_FILE);
return -1;
}
- if (chown(HOSTAPD_CONF_FILE, AID_SYSTEM, AID_WIFI) < 0) {
+ if (fchown(fd, AID_SYSTEM, AID_WIFI) < 0) {
ALOGE("Error changing group ownership of %s to %d: %s",
HOSTAPD_CONF_FILE, AID_WIFI, strerror(errno));
+ close(fd);
unlink(HOSTAPD_CONF_FILE);
return -1;
}
+ close(fd);
return ret;
}
