michaelh/zephyr
1
0
Fork 0
Code Releases Activity

wifi/esp32: Fix overflow in SSID copy

Browse source 
In the previous code, strnlen could have returned WIFI_SSID_MAX_LEN, and
the following statement ensuring NUL termination would have written one
past the end of the array.

Replace this with code that ensures a NUL termination within the bounds
of the array and then use strlen to compute the length.

Signed-off-by: Keith Packard <keithp@keithp.com>
This commit is contained in:
Keith Packard 2025-06-06 12:35:37 -07:00 committed by Henrik Brix Andersen
commit ec38e9ef64
1 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
drivers/wifi/esp32/src/esp_wifi_drv.c
View file

@ -770,8 +770,10 @@ static int esp32_wifi_status(const struct device *dev, struct wifi_iface_status
}
strncpy(status->ssid, data->status.ssid, WIFI_SSID_MAX_LEN);
status->ssid_len = strnlen(data->status.ssid, WIFI_SSID_MAX_LEN);
status->ssid[status->ssid_len] = '\0';
/* Ensure the result is NUL terminated */
status->ssid[WIFI_SSID_MAX_LEN-1] = '\0';
/* We know it is NUL terminated, so we can use strlen */
status->ssid_len = strlen(data->status.ssid);
status->band = WIFI_FREQ_BAND_2_4_GHZ;
status->link_mode = WIFI_LINK_MODE_UNKNOWN;
status->mfp = WIFI_MFP_DISABLE;