Message ID | 20230226062526.3115588-1-c@jia.je (mailing list archive) |
---|---|
State | Accepted, archived |
Headers | show |
Series | [1/2] knownnetworks: fix potential out of bounds write | expand |
Context | Check | Description |
---|---|---|
tedd_an/pre-ci_am | success | Success |
prestwoj/iwd-alpine-ci-fetch | success | Fetch PR |
prestwoj/iwd-ci-gitlint | success | GitLint |
prestwoj/iwd-ci-fetch | success | Fetch PR |
prestwoj/iwd-alpine-ci-makedistcheck | success | Make Distcheck |
prestwoj/iwd-ci-build | success | Build - Configure |
prestwoj/iwd-alpine-ci-build | success | Build - Configure |
prestwoj/iwd-alpine-ci-makecheckvalgrind | success | Make Check w/Valgrind |
prestwoj/iwd-alpine-ci-makecheck | success | Make Check |
prestwoj/iwd-ci-clang | success | clang PASS |
prestwoj/iwd-ci-makecheckvalgrind | success | Make Check w/Valgrind |
prestwoj/iwd-ci-makecheck | success | Make Check |
prestwoj/iwd-alpine-ci-incremental_build | success | Incremental Build with patches |
prestwoj/iwd-ci-incremental_build | success | Incremental Build with patches |
prestwoj/iwd-ci-makedistcheck | success | Make Distcheck |
prestwoj/iwd-ci-testrunner | success | test-runner PASS |
Hi Jiajie, On 2/26/23 00:25, Jiajie Chen wrote: > If a very long ssid was used (e.g. CJK characters in SSID), it might do > out of bounds write to static variable for lack of checking the position > before the last snprintf() call. > --- > src/knownnetworks.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > Nice catch. Applied, thanks. Regards, -Denis
diff --git a/src/knownnetworks.c b/src/knownnetworks.c index 487b7017..6c575e50 100644 --- a/src/knownnetworks.c +++ b/src/knownnetworks.c @@ -176,7 +176,8 @@ static const char *known_network_get_path(const struct network_info *network) pos += snprintf(path + pos, sizeof(path) - pos, "%02x", network->ssid[i]); - snprintf(path + pos, sizeof(path) - pos, "_%s", + if (pos < sizeof(path)) + snprintf(path + pos, sizeof(path) - pos, "_%s", security_to_str(network->type)); path[sizeof(path) - 1] = '\0';