From ec38e9ef643f8c89d4487dd9b712a0606dcf7b83 Mon Sep 17 00:00:00 2001 From: Keith Packard Date: Fri, 6 Jun 2025 12:35:37 -0700 Subject: [PATCH] wifi/esp32: Fix overflow in SSID copy In the previous code, strnlen could have returned WIFI_SSID_MAX_LEN, and the following statement ensuring NUL termination would have written one past the end of the array. Replace this with code that ensures a NUL termination within the bounds of the array and then use strlen to compute the length. Signed-off-by: Keith Packard --- drivers/wifi/esp32/src/esp_wifi_drv.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/wifi/esp32/src/esp_wifi_drv.c b/drivers/wifi/esp32/src/esp_wifi_drv.c index 305994d6a32..b1499168a45 100644 --- a/drivers/wifi/esp32/src/esp_wifi_drv.c +++ b/drivers/wifi/esp32/src/esp_wifi_drv.c @@ -770,8 +770,10 @@ static int esp32_wifi_status(const struct device *dev, struct wifi_iface_status } strncpy(status->ssid, data->status.ssid, WIFI_SSID_MAX_LEN); - status->ssid_len = strnlen(data->status.ssid, WIFI_SSID_MAX_LEN); - status->ssid[status->ssid_len] = '\0'; + /* Ensure the result is NUL terminated */ + status->ssid[WIFI_SSID_MAX_LEN-1] = '\0'; + /* We know it is NUL terminated, so we can use strlen */ + status->ssid_len = strlen(data->status.ssid); status->band = WIFI_FREQ_BAND_2_4_GHZ; status->link_mode = WIFI_LINK_MODE_UNKNOWN; status->mfp = WIFI_MFP_DISABLE;