Fix off-by-one bounds checking in printf_encode()
The off-by-one error in printf_encode() bounds checking could have allowed buffer overflow with 0x00 being written to the memory position following the last octet of the target buffer. Since this output is used as \0-terminated string, the following operation would likely read past the buffer as well. Either of these operations can result in the process dying either due to buffer overflow protection or by a read from unallowed address. This has been seen to cause wpa_supplicant crash on OpenBSD when control interface client attaches (debug print shows the client socket address). Similarly, it may be possible to trigger the issue in RADIUS/EAP server implementation within hostapd with a suitable constructed user name. Signed-off-by: Stuart Henderson <sthen@openbsd.org>
This commit is contained in:
Stuart Henderson
Jouni Malinen
parent
801e117376
commit
5dff6dff63
1 changed files with 1 additions and 1 deletions
|
|
@ -350,7 +350,7 @@ void printf_encode(char *txt, size_t maxlen, const u8 *data, size_t len)
|
||||||
size_t i;
|
size_t i;
|
||||||
|
|
||||||
for (i = 0; i < len; i++) {
|
for (i = 0; i < len; i++) {
|
||||||
if (txt + 4 > end)
|
if (txt + 4 >= end)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
switch (data[i]) {
|
switch (data[i]) {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue