From f33a31b06c85a3e64cde81bbbcc15e18c87d58fa Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Thu, 18 Jun 2015 17:04:16 +0300 Subject: [PATCH] P2PS: Verify service name length in P2P_FIND command p2ps_gen_hash() has a limit on service names based on the temporary buffer from stack. Verify that the service name from the local P2P_FIND command is short enough to fix into that buffer. Signed-off-by: Jouni Malinen --- src/p2p/p2p.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c index d96723f6b..cea63f483 100644 --- a/src/p2p/p2p.c +++ b/src/p2p/p2p.c @@ -1139,6 +1139,8 @@ static int p2ps_gen_hash(struct p2p_data *p2p, const char *str, u8 *hash) adv_array = (u8 *) str_buf; adv_len = os_strlen(str); + if (adv_len >= sizeof(str_buf)) + return 0; for (i = 0; str[i] && i < adv_len; i++) { if (str[i] >= 'A' && str[i] <= 'Z')