[1/2] knownnetworks: fix potential out of bounds write

Commit Message

Jiajie Chen Feb. 26, 2023, 6:25 a.m. UTC

If a very long ssid was used (e.g. CJK characters in SSID), it might do
out of bounds write to static variable for lack of checking the position
before the last snprintf() call.
---
 src/knownnetworks.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Denis Kenzior Feb. 27, 2023, 4:24 p.m. UTC | #1

Hi Jiajie,

On 2/26/23 00:25, Jiajie Chen wrote:
> If a very long ssid was used (e.g. CJK characters in SSID), it might do
> out of bounds write to static variable for lack of checking the position
> before the last snprintf() call.
> ---
>   src/knownnetworks.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 

Nice catch.  Applied, thanks.

Regards,
-Denis

Patch

diff --git a/src/knownnetworks.c b/src/knownnetworks.c
index 487b7017..6c575e50 100644
--- a/src/knownnetworks.c
+++ b/src/knownnetworks.c
@@ -176,7 +176,8 @@  static const char *known_network_get_path(const struct network_info *network)
 		pos += snprintf(path + pos, sizeof(path) - pos, "%02x",
 				network->ssid[i]);
 
-	snprintf(path + pos, sizeof(path) - pos, "_%s",
+	if (pos < sizeof(path))
+		snprintf(path + pos, sizeof(path) - pos, "_%s",
 			security_to_str(network->type));
 	path[sizeof(path) - 1] = '\0';