net: wifi: Fix crash in wifi_utils_parse_scan_ssids
wifi_utils_parse_scan_ssids could cause a crash if a constant string is passed to it. Fix this by duplicating the input string parameter before parsing it with strtok_r. Also limit the range of the CONFIG_WIFI_SCAN_SSID_FILT_MAX parameter from 1 to 4 to avoid stack overflow due to users specifying a large value for this parameter. Signed-off-by: Sachin D Kulkarni <sachin.kulkarni@nordicsemi.no>
This commit is contained in:
parent
0b92327fc3
commit
85b39b8449
2 changed files with 17 additions and 1 deletions
|
@ -76,6 +76,7 @@ config WIFI_MGMT_SCAN_DWELL_TIME_PASSIVE
|
|||
config WIFI_MGMT_SCAN_SSID_FILT_MAX
|
||||
int "Maximum number of SSIDs that can be specified for SSID filtering"
|
||||
default 1
|
||||
range 1 4
|
||||
help
|
||||
Maximum number of SSIDs that can be specified for SSID filtering.
|
||||
This can be set based on the underlying chipsets limitations.
|
||||
|
|
|
@ -259,15 +259,30 @@ int wifi_utils_parse_scan_bands(char *scan_bands_str, uint8_t *band_map)
|
|||
int wifi_utils_parse_scan_ssids(char *scan_ssids_str,
|
||||
char ssids[][WIFI_SSID_MAX_LEN + 1])
|
||||
{
|
||||
char parse_str[(WIFI_MGMT_SCAN_SSID_FILT_MAX * (WIFI_SSID_MAX_LEN + 1)) + 1];
|
||||
char *ssid = NULL;
|
||||
char *ctx = NULL;
|
||||
uint8_t i = 0;
|
||||
int len;
|
||||
|
||||
if (!scan_ssids_str) {
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
ssid = strtok_r(scan_ssids_str, ",", &ctx);
|
||||
len = strlen(scan_ssids_str);
|
||||
|
||||
if (len > (WIFI_MGMT_SCAN_SSID_FILT_MAX * (WIFI_SSID_MAX_LEN + 1))) {
|
||||
NET_ERR("SSID string (%s) size (%d) exceeds maximum allowed value (%d)",
|
||||
scan_ssids_str,
|
||||
len,
|
||||
(WIFI_MGMT_SCAN_SSID_FILT_MAX * (WIFI_SSID_MAX_LEN + 1)));
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
strncpy(parse_str, scan_ssids_str, len);
|
||||
parse_str[len] = '\0';
|
||||
|
||||
ssid = strtok_r(parse_str, ",", &ctx);
|
||||
|
||||
while (ssid) {
|
||||
if (strlen(ssid) > WIFI_SSID_MAX_LEN) {
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue