hostapd config parsing issues

Richard Schleich rs at noreya.tech
Wed Apr 13 08:46:29 PDT 2022


Hi,

This was tested with hostapd 2.10, earlier versions are probably also 
affected.

Recently I started to test a WLAN module. For this I set up an AP with 
hostapd and verified the settings from a second system using "iw dev scan".

I reached a point where the configuration I had set no longer matched 
the scan result.
I checked the source code and found out that the parsing of the option 
"ht_capab" does not check for "#" comments.
The comment in the following line is simply ignored:
ht_capab=[HT20] #[HT40+]

This is quite confusing, since programs usually do not parse comments or 
report an error.
Even worse, in some cases this behavior can be used to lower security 
standards:
tls_flags=[ENABLE-TLSv1.3][ENABLE-TLSv1.2] #[ENABLE-TLSv1.0]

I searched some more and found a second problem.
The parser for wpa_pairwise is not vulnerable to comments but to NULL 
characters.
If you add an ASCII NULL (binary 0) after "TKIP", hostapd will ignore 
"CCMP".
wpa_pairwise=TKIP CCMP (wpa_pairwise=TKIP^@ CCMP)

Some tools like "vim" show NULL as "^@" while others like "cat" ignore 
it completely and show a supposedly safe configuration.

It also seems that the "int line" variable in the config parser can be 
used to trigger an integer overflow since it is not checked. Because 
hostapd is compiled for many different architectures this might be a 
problem.

These are small bugs that require direct access to the system to pose a 
security threat and can be easily fixed.
However, I would bet that the config parser has many similar problems as 
I only had to search a few hours to find this ones.
Maybe in the long-term it would be better to replace the "self-made" 
parser with a tested library (libconfig?) to avoid these issues.

best regards,
Richard Schleich




More information about the Hostap mailing list