Skip to content

Commit

Permalink
Fix length checks on inputs to ascii2hexstr() for WPS+NFC commands
Browse files Browse the repository at this point in the history 
The previously used checks were assuming incorrect direction for
hexdump/binary conversion and could have resulted in buffer write
overflow with invalid input. The used buffers were long enough to avoid
issues with valid input of maximum SSID/passphrase length, i.e., this
does not show up in normal CAPI operations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
  • Loading branch information
@jmalinen
vamsi krishna authored and jmalinen committed May 12, 2017
1 parent e9fa795 commit 8c9c156
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 4 deletions.
4 changes: 2 additions & 2 deletions p2p.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2480,8 +2480,8 @@ static int nfc_wps_read_passwd(struct sigma_dut *dut,
run_system(dut, "killall wps-nfc.py");
run_system(dut, "killall p2p-nfc.py");

if ((ssid && strlen(ssid) >= 2 * sizeof(ssid_hex)) ||
(passphrase && strlen(passphrase) >= 2 * sizeof(passphrase_hex))) {
if ((ssid && 2 * strlen(ssid) >= sizeof(ssid_hex)) ||
(passphrase && 2 * strlen(passphrase) >= sizeof(passphrase_hex))) {
send_resp(dut, conn, SIGMA_ERROR,
"ErrorCode,Too long SSID/passphrase");
return 0;
Expand Down
4 changes: 2 additions & 2 deletions sta.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8412,8 +8412,8 @@ static int cmd_sta_er_config(struct sigma_dut *dut, struct sigma_conn *conn,
return 0;
}

if (strlen(ssid) >= 2 * sizeof(ssid_hex) ||
strlen(passphrase) >= 2 * sizeof(passphrase_hex)) {
if (2 * strlen(ssid) >= sizeof(ssid_hex) ||
2 * strlen(passphrase) >= sizeof(passphrase_hex)) {
send_resp(dut, conn, SIGMA_ERROR,
"ErrorCode,Too long SSID/passphrase");
return 0;
Expand Down

0 comments on commit 8c9c156

Please sign in to comment.