Off-by-one error in drivers?

Jouke Witteveen j.witteveen at gmail.com
Sun Nov 2 17:08:34 EST 2008


Hello all,

If I am right the following wpa_supplicant drivers contain an OBOE
concerning IFNAMSIZ:
driver_atmel.c
driver_broadcom.c
driver_hostap.c
driver_ipw.c
driver_madwifi.c
driver_ndiswrapper.c
driver_nl80211.c
driver_prism54.c
driver_ralink.c
driver_wext.c
driver_wired.c

They all have an ifname c-string of IFNAMSIZ + 1 bytes as to fit an
interfacename of IFNAMSIZ characters. They then go on to use
os_strlcpy to copy at most IFNAMSIZ characters from the ifname to some
other variable. Not only does it look like the null character is not
accounted for, it also seems to neglect that strlcpy _will_ write the
terminating character. Because of this last caveat an interfacename of
IFNAMSIZ characters gets truncated (the last character is turned into
'\0').

Can anyone comment on this?

Regards,
Jouke Witteveen


More information about the HostAP mailing list