net: wifi: Fix crash in wifi_utils_parse_scan_ssids

wifi_utils_parse_scan_ssids could cause a crash if a constant string is
passed to it. Fix this by duplicating the input string parameter before
parsing it with strtok_r.

Also limit the range of the CONFIG_WIFI_SCAN_SSID_FILT_MAX parameter
from 1 to 4 to avoid stack overflow due to users specifying a large
value for this parameter.

Signed-off-by: Sachin D Kulkarni <sachin.kulkarni@nordicsemi.no>
This commit is contained in:
Sachin D Kulkarni 2023-09-05 18:38:54 +05:30 committed by Carles Cufí
commit 85b39b8449
2 changed files with 17 additions and 1 deletions

View file

@ -76,6 +76,7 @@ config WIFI_MGMT_SCAN_DWELL_TIME_PASSIVE
config WIFI_MGMT_SCAN_SSID_FILT_MAX
int "Maximum number of SSIDs that can be specified for SSID filtering"
default 1
range 1 4
help
Maximum number of SSIDs that can be specified for SSID filtering.
This can be set based on the underlying chipsets limitations.

View file

@ -259,15 +259,30 @@ int wifi_utils_parse_scan_bands(char *scan_bands_str, uint8_t *band_map)
int wifi_utils_parse_scan_ssids(char *scan_ssids_str,
char ssids[][WIFI_SSID_MAX_LEN + 1])
{
char parse_str[(WIFI_MGMT_SCAN_SSID_FILT_MAX * (WIFI_SSID_MAX_LEN + 1)) + 1];
char *ssid = NULL;
char *ctx = NULL;
uint8_t i = 0;
int len;
if (!scan_ssids_str) {
return -EINVAL;
}
ssid = strtok_r(scan_ssids_str, ",", &ctx);
len = strlen(scan_ssids_str);
if (len > (WIFI_MGMT_SCAN_SSID_FILT_MAX * (WIFI_SSID_MAX_LEN + 1))) {
NET_ERR("SSID string (%s) size (%d) exceeds maximum allowed value (%d)",
scan_ssids_str,
len,
(WIFI_MGMT_SCAN_SSID_FILT_MAX * (WIFI_SSID_MAX_LEN + 1)));
return -EINVAL;
}
strncpy(parse_str, scan_ssids_str, len);
parse_str[len] = '\0';
ssid = strtok_r(parse_str, ",", &ctx);
while (ssid) {
if (strlen(ssid) > WIFI_SSID_MAX_LEN) {