Skip to content

Commit

Permalink
P2P: Fix off-by-one in p2p_group_get() buffer bounds checking
Browse files Browse the repository at this point in the history 
This buffer is a NUL terminated array so must check that the GO Device
Address is short enough to fit into the buffer with that extra character
added in the end.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
  • Loading branch information
@jmalinen
Peng Xu authored and jmalinen committed Oct 11, 2017
1 parent 26b356d commit 40cbba3
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion p2p.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -374,7 +374,7 @@ static struct wfa_cs_p2p_group * p2p_group_get(struct sigma_dut *dut,
pos = strchr(grpid, ' ');
if (pos == NULL)
return NULL;
if (pos - grpid > (int) sizeof(go_dev_addr))
if (pos - grpid >= (int) sizeof(go_dev_addr))
return NULL;
memcpy(go_dev_addr, grpid, pos - grpid);
go_dev_addr[pos - grpid] = '\0';
Expand Down

0 comments on commit 40cbba3

Please sign in to comment.