Fix off-by-one bounds checking in printf_encode()
The off-by-one error in printf_encode() bounds checking could have allowed buffer overflow with 0x00 being written to the memory position following the last octet of the target buffer. Since this output is used as \0-terminated string, the following operation would likely read past the buffer as well. Either of these operations can result in the process dying either due to buffer overflow protection or by a read from unallowed address. This has been seen to cause wpa_supplicant crash on OpenBSD when control interface client attaches (debug print shows the client socket address). Similarly, it may be possible to trigger the issue in RADIUS/EAP server implementation within hostapd with a suitable constructed user name. Signed-off-by: Stuart Henderson <sthen@openbsd.org>
This commit is contained in:
		
							parent
							
								
									801e117376
								
							
						
					
					
						commit
						5dff6dff63
					
				
					 1 changed files with 1 additions and 1 deletions
				
			
		|  | @ -350,7 +350,7 @@ void printf_encode(char *txt, size_t maxlen, const u8 *data, size_t len) | |||
| 	size_t i; | ||||
| 
 | ||||
| 	for (i = 0; i < len; i++) { | ||||
| 		if (txt + 4 > end) | ||||
| 		if (txt + 4 >= end) | ||||
| 			break; | ||||
| 
 | ||||
| 		switch (data[i]) { | ||||
|  |  | |||
		Loading…
	
		Reference in a new issue
	
	 Stuart Henderson
						Stuart Henderson