Commit ec38e9ef authored by Keith Packard's avatar Keith Packard Committed by Henrik Brix Andersen
Browse files

wifi/esp32: Fix overflow in SSID copy



In the previous code, strnlen could have returned WIFI_SSID_MAX_LEN, and
the following statement ensuring NUL termination would have written one
past the end of the array.

Replace this with code that ensures a NUL termination within the bounds
of the array and then use strlen to compute the length.

Signed-off-by: default avatarKeith Packard <keithp@keithp.com>
parent df1cd1b0
Loading
Loading
Loading
Loading
+4 −2
Original line number Diff line number Diff line
@@ -770,8 +770,10 @@ static int esp32_wifi_status(const struct device *dev, struct wifi_iface_status
	}

	strncpy(status->ssid, data->status.ssid, WIFI_SSID_MAX_LEN);
	status->ssid_len = strnlen(data->status.ssid, WIFI_SSID_MAX_LEN);
	status->ssid[status->ssid_len] = '\0';
	/* Ensure the result is NUL terminated */
	status->ssid[WIFI_SSID_MAX_LEN-1] = '\0';
	/* We know it is NUL terminated, so we can use strlen */
	status->ssid_len = strlen(data->status.ssid);
	status->band = WIFI_FREQ_BAND_2_4_GHZ;
	status->link_mode = WIFI_LINK_MODE_UNKNOWN;
	status->mfp = WIFI_MFP_DISABLE;