drivers/wifi/esp_at: Increase sprintk buffers to hold parameter types

This driver uses stack buffers to hold AT command strings which are
generated at runtime using sprintk. The buffers are only sized for the
expected range of values, not the full possible range given the datatypes
involved. Values outside this expected range could cause a buffer overflow.

To mitigate this, increase the size of each buffer to hold the full range
of each parameter type.

Signed-off-by: Keith Packard <keithp@keithp.com>
This commit is contained in:
Keith Packard 2022-06-07 14:49:24 -07:00 committed by Carles Cufí
commit 9b2aed731a
2 changed files with 3 additions and 3 deletions

View file

@ -38,7 +38,7 @@ static int esp_listen(struct net_context *context, int backlog)
static int _sock_connect(struct esp_data *dev, struct esp_socket *sock)
{
char connect_msg[sizeof("AT+CIPSTART=0,\"TCP\",\"\",65535,7200") +
char connect_msg[sizeof("AT+CIPSTART=000,\"TCP\",\"\",65535,7200") +
NET_IPV4_ADDR_LEN];
char addr_str[NET_IPV4_ADDR_LEN];
struct sockaddr dst;
@ -482,7 +482,7 @@ void esp_recvdata_work(struct k_work *work)
struct esp_socket *sock = CONTAINER_OF(work, struct esp_socket,
recvdata_work);
struct esp_data *data = esp_socket_to_dev(sock);
char cmd[sizeof("AT+CIPRECVDATA=0,"STRINGIFY(CIPRECVDATA_MAX_LEN))];
char cmd[sizeof("AT+CIPRECVDATA=000,"STRINGIFY(CIPRECVDATA_MAX_LEN))];
static const struct modem_cmd cmds[] = {
MODEM_CMD_DIRECT(_CIPRECVDATA, on_cmd_ciprecvdata),
};

View file

@ -198,7 +198,7 @@ void esp_socket_rx(struct esp_socket *sock, struct net_buf *buf,
void esp_socket_close(struct esp_socket *sock)
{
struct esp_data *dev = esp_socket_to_dev(sock);
char cmd_buf[sizeof("AT+CIPCLOSE=0")];
char cmd_buf[sizeof("AT+CIPCLOSE=000")];
int ret;
snprintk(cmd_buf, sizeof(cmd_buf), "AT+CIPCLOSE=%d",