From 6ceb95c950f195322858f7c5dee69b6ab26f31a3 Mon Sep 17 00:00:00 2001 From: Eytan Lifshitz Date: Mon, 10 Feb 2014 12:55:09 +0200 Subject: [PATCH] Avoid NULL dereference in ieee802_1x_get_mib_sta() printf In function ieee802_1x_get_mib_sta(), eap_server_get_name() may return NULL, and it could be dereferenced immidiately by os_snprintf() (if the snprintf implementation does not handle NULL pointer). Signed-hostap: Eytan Lifshitz --- src/ap/ieee802_1x.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index 49b30e41c..21f815af2 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -1953,6 +1953,8 @@ int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, int len = 0, ret; struct eapol_state_machine *sm = sta->eapol_sm; struct os_reltime diff; + const char *name1; + const char *name2; if (sm == NULL) return 0; @@ -2088,13 +2090,15 @@ int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, return len; len += ret; + name1 = eap_server_get_name(0, sm->eap_type_authsrv); + name2 = eap_server_get_name(0, sm->eap_type_supp); ret = os_snprintf(buf + len, buflen - len, "last_eap_type_as=%d (%s)\n" "last_eap_type_sta=%d (%s)\n", sm->eap_type_authsrv, - eap_server_get_name(0, sm->eap_type_authsrv), + name1 ? name1 : "", sm->eap_type_supp, - eap_server_get_name(0, sm->eap_type_supp)); + name2 ? name2 : ""); if (ret < 0 || (size_t) ret >= buflen - len) return len; len += ret;