From 2e70e807c8b89ce7b28c3d91843f89ef56e7fa7a Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 15 Apr 2019 20:27:52 +0300 Subject: [PATCH] D-Bus: Fix P2P GroupStarted signal not to use uninitialized IP buffer wpas_p2p_completed() used wpa_sm_get_p2p_ip_addr() return value properly for filling in the ip_addr[] string only if the IP addresses got assigned, but the raw ip[] array was passed to wpas_dbus_signal_p2p_group_started() regardless of whether the IP addresses were assigned. This could result in using uninitialized stack memory for constructing the GroupStarted signal values. Fix this by filling those in only if the IP addressed are actually available. Signed-off-by: Jouni Malinen --- wpa_supplicant/p2p_supplicant.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c index 412903f1d..3f2b47b7e 100644 --- a/wpa_supplicant/p2p_supplicant.c +++ b/wpa_supplicant/p2p_supplicant.c @@ -7215,7 +7215,7 @@ void wpas_p2p_completed(struct wpa_supplicant *wpa_s) u8 go_dev_addr[ETH_ALEN]; int persistent; int freq; - u8 ip[3 * 4]; + u8 ip[3 * 4], *ip_ptr = NULL; char ip_addr[100]; if (ssid == NULL || ssid->mode != WPAS_MODE_P2P_GROUP_FORMATION) { @@ -7262,6 +7262,7 @@ void wpas_p2p_completed(struct wpa_supplicant *wpa_s) ip[8], ip[9], ip[10], ip[11]); if (os_snprintf_error(sizeof(ip_addr), res)) ip_addr[0] = '\0'; + ip_ptr = ip; } wpas_p2p_group_started(wpa_s, 0, ssid, freq, @@ -7274,7 +7275,7 @@ void wpas_p2p_completed(struct wpa_supplicant *wpa_s) wpas_p2p_store_persistent_group(wpa_s->p2pdev, ssid, go_dev_addr); - wpas_notify_p2p_group_started(wpa_s, ssid, persistent, 1, ip); + wpas_notify_p2p_group_started(wpa_s, ssid, persistent, 1, ip_ptr); }