From 9b2aed731a52045b15adff68aa4fa36592bda2cc Mon Sep 17 00:00:00 2001
From: Keith Packard <keithp@keithp.com>
Date: Tue, 7 Jun 2022 14:49:24 -0700
Subject: [PATCH] drivers/wifi/esp_at: Increase sprintk buffers to hold
 parameter types

This driver uses stack buffers to hold AT command strings which are
generated at runtime using sprintk. The buffers are only sized for the
expected range of values, not the full possible range given the datatypes
involved. Values outside this expected range could cause a buffer overflow.

To mitigate this, increase the size of each buffer to hold the full range
of each parameter type.

Signed-off-by: Keith Packard <keithp@keithp.com>
---
 drivers/wifi/esp_at/esp_offload.c | 4 ++--
 drivers/wifi/esp_at/esp_socket.c  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/wifi/esp_at/esp_offload.c b/drivers/wifi/esp_at/esp_offload.c
index 5f044860c62..a06a1d23cfc 100644
--- a/drivers/wifi/esp_at/esp_offload.c
+++ b/drivers/wifi/esp_at/esp_offload.c
@@ -38,7 +38,7 @@ static int esp_listen(struct net_context *context, int backlog)
 
 static int _sock_connect(struct esp_data *dev, struct esp_socket *sock)
 {
-	char connect_msg[sizeof("AT+CIPSTART=0,\"TCP\",\"\",65535,7200") +
+	char connect_msg[sizeof("AT+CIPSTART=000,\"TCP\",\"\",65535,7200") +
 			 NET_IPV4_ADDR_LEN];
 	char addr_str[NET_IPV4_ADDR_LEN];
 	struct sockaddr dst;
@@ -482,7 +482,7 @@ void esp_recvdata_work(struct k_work *work)
 	struct esp_socket *sock = CONTAINER_OF(work, struct esp_socket,
 					       recvdata_work);
 	struct esp_data *data = esp_socket_to_dev(sock);
-	char cmd[sizeof("AT+CIPRECVDATA=0,"STRINGIFY(CIPRECVDATA_MAX_LEN))];
+	char cmd[sizeof("AT+CIPRECVDATA=000,"STRINGIFY(CIPRECVDATA_MAX_LEN))];
 	static const struct modem_cmd cmds[] = {
 		MODEM_CMD_DIRECT(_CIPRECVDATA, on_cmd_ciprecvdata),
 	};
diff --git a/drivers/wifi/esp_at/esp_socket.c b/drivers/wifi/esp_at/esp_socket.c
index 0dc922ee05d..e3600ea5366 100644
--- a/drivers/wifi/esp_at/esp_socket.c
+++ b/drivers/wifi/esp_at/esp_socket.c
@@ -198,7 +198,7 @@ void esp_socket_rx(struct esp_socket *sock, struct net_buf *buf,
 void esp_socket_close(struct esp_socket *sock)
 {
 	struct esp_data *dev = esp_socket_to_dev(sock);
-	char cmd_buf[sizeof("AT+CIPCLOSE=0")];
+	char cmd_buf[sizeof("AT+CIPCLOSE=000")];
 	int ret;
 
 	snprintk(cmd_buf, sizeof(cmd_buf), "AT+CIPCLOSE=%d",