net: wifi: Fix crash in wifi_utils_parse_scan_ssids

wifi_utils_parse_scan_ssids could cause a crash if a constant string is passed to it. Fix this by duplicating the input string parameter before parsing it with strtok_r. Also limit the range of the CONFIG_WIFI_SCAN_SSID_FILT_MAX parameter from 1 to 4 to avoid stack overflow due to users specifying a large value for this parameter. Signed-off-by: Sachin D Kulkarni <sachin.kulkarni@nordicsemi.no>
2023-09-05 18:38:54 +05:30 · 2023-09-05 18:38:54 +05:30 · 85b39b8449
commit 85b39b8449
parent 0b92327fc3
2 changed files with 17 additions and 1 deletions
--- a/subsys/net/l2/wifi/Kconfig
+++ b/subsys/net/l2/wifi/Kconfig
@ -76,6 +76,7 @@ config WIFI_MGMT_SCAN_DWELL_TIME_PASSIVE
 config WIFI_MGMT_SCAN_SSID_FILT_MAX
 	int "Maximum number of SSIDs that can be specified for SSID filtering"
 	default 1
+	range 1 4
 	help
 	  Maximum number of SSIDs that can be specified for SSID filtering.
 	  This can be set based on the underlying chipsets limitations.
--- a/subsys/net/l2/wifi/wifi_utils.c
+++ b/subsys/net/l2/wifi/wifi_utils.c
@ -259,15 +259,30 @@ int wifi_utils_parse_scan_bands(char *scan_bands_str, uint8_t *band_map)
 int wifi_utils_parse_scan_ssids(char *scan_ssids_str,
 				char ssids[][WIFI_SSID_MAX_LEN + 1])
 {
+	char parse_str[(WIFI_MGMT_SCAN_SSID_FILT_MAX * (WIFI_SSID_MAX_LEN + 1)) + 1];
 	char *ssid = NULL;
 	char *ctx = NULL;
 	uint8_t i = 0;
+	int len;

 	if (!scan_ssids_str) {
 		return -EINVAL;
 	}

-	ssid = strtok_r(scan_ssids_str, ",", &ctx);
+	len = strlen(scan_ssids_str);
+
+	if (len > (WIFI_MGMT_SCAN_SSID_FILT_MAX * (WIFI_SSID_MAX_LEN + 1))) {
+		NET_ERR("SSID string (%s) size (%d) exceeds maximum allowed value (%d)",
+			scan_ssids_str,
+			len,
+			(WIFI_MGMT_SCAN_SSID_FILT_MAX * (WIFI_SSID_MAX_LEN + 1)));
+		return -EINVAL;
+	}
+
+	strncpy(parse_str, scan_ssids_str, len);
+	parse_str[len] = '\0';
+
+	ssid = strtok_r(parse_str, ",", &ctx);

 	while (ssid) {
 		if (strlen(ssid) > WIFI_SSID_MAX_LEN) {