On Wed, Apr 03, 2019 at 06:17:11PM +0300, Andrei Otcheretianski wrote:
> The way that the P2P Device interface name was constructed, might
> result with an interface name that exceeds the maximal allowed
> interface name length (IFNAMSZ).
>
> Fix this by properly limiting the created interface name length.
How is this supposed to work and guarantee that the truncated interface
name would be unique?
> diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c
> @@ -3794,14 +3794,21 @@ int wpas_p2p_add_p2pdev_interface(struct wpa_supplicant *wpa_s,
> {
> struct wpa_interface iface;
> struct wpa_supplicant *p2pdev_wpa_s;
> - char ifname[100];
> - char force_name[100];
> + char ifname[IFNAMSIZ];
> + char force_name[IFNAMSIZ];
IFNAMSIZ as the array length would mean that the array can hold only
IFNAMSIZ-1 character long name, so this would be truncating to shorter
than IFNAMSIZ characters..
> ret = os_snprintf(ifname, sizeof(ifname), P2P_MGMT_DEVICE_PREFIX "%s",
> wpa_s->ifname);
> - if (os_snprintf_error(sizeof(ifname), ret))
> +
> + if (ret >= IFNAMSIZ) {
> + wpa_printf(MSG_WARNING,
> + "P2P: P2P Device interface name truncated=%s",
> + ifname);
> + } else if (ret < 0) {
> return -1;
> + }
So what if snprintf return IFNAMSIZ? Wouldn't that leave ifname[]
without nul termination here? And that could result in reading beyond
the end of the buffer when using this string, e.g., in that wpa_printf()
print.
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
