drivers: wifi: eswifi: Fix parsing buffer-overflows

There are possible buffer overflows when parsing the ip address and SSID. Ensure that we never overwrite the ip and SSID buffers. Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
2020-07-08 09:22:33 +02:00 · 2020-07-08 09:22:33 +02:00 · 40e2d94bc8
commit 40e2d94bc8
parent e7c4d29c86
1 changed files with 16 additions and 16 deletions
--- a/drivers/wifi/eswifi/eswifi_core.c
+++ b/drivers/wifi/eswifi/eswifi_core.c
@ -52,29 +52,30 @@ static int eswifi_reset(struct eswifi_dev *eswifi)

 static inline int __parse_ssid(char *str, char *ssid)
 {
-	/* fnt => '"SSID"' */
+	int i = 0;

-	if (!*str || (*str != '"')) {
-		return -EINVAL;
-	}
-
-	str++;
-	while (*str && (*str != '"')) {
-		*ssid++ = *str++;
-	}
-
-	*ssid = '\0';
+	/* fmt => "SSID" */

 	if (*str != '"') {
-		return -EINVAL;
+		return 0;
+	}
+	str++;
+
+	while (*str && (*str != '"') && i < WIFI_SSID_MAX_LEN) {
+		ssid[i++] = *str++;
 	}

-	return -EINVAL;
+	if (*str != '"') {
+		return 0;
+	}
+
+	return i;
 }

 static void __parse_scan_res(char *str, struct wifi_scan_result *res)
 {
 	int field = 0;
+	int ret;

 	/* fmt => #001,"SSID",MACADDR,RSSI,BITRATE,MODE,SECURITY,BAND,CHANNEL */

@ -90,8 +91,7 @@ static void __parse_scan_res(char *str, struct wifi_scan_result *res)

 		switch (++field) {
 		case 1: /* SSID */
-			__parse_ssid(str, res->ssid);
-			res->ssid_length = strlen(res->ssid);
+			res->ssid_length = __parse_ssid(str, res->ssid);
 			str += res->ssid_length;
 			break;
 		case 2: /* mac addr */
@ -180,7 +180,7 @@ static int __parse_ipv4_address(char *str, char *ssid, uint8_t ip[4])
 	unsigned int byte = -1;

 	/* fmt => [JOIN   ] SSID,192.168.2.18,0,0 */
-	while (*str) {
+	while (*str && byte < 4) {
 		if (byte == -1) {
 			if (!strncmp(str, ssid, strlen(ssid))) {
 				byte = 0U;