[PATCH] Increase buffer size and prevent write beyond buffer end

Jouni Malinen j at w1.fi
Mon Oct 14 14:16:11 EDT 2013

On Fri, Oct 11, 2013 at 12:51:47PM +0200, Pontus Fuchs wrote:
> wpa_config_write_key_mgmt has a buffer size of 50. This is not enough
> to fit the longest case. I used a network with "WPA-PSK WPA-EAP
> WPA-NONE" and CONFIG_IEEE80211R=y + CONFIG_IEEE80211W=y to produce
> a string longer than 50 chars. Increase the buffer size to 100 to
> prevent truncated output.
> Truncated output is not the only problem. If the buffer end is
> reached when adding certain key mgmt types the function does not
> return immediately. This leaves pos > end. When a second os_sprintf
> is called the calculation of end - pos yields a large positive
> number for buffer size. End result is a write beyond the buffer end.
> Fix this by bailing out if buffer end is reached.

Thanks, applied.
Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list