Fix language string length validation in parse_lang_string()

The language string length needs to be validated to hit into the three-octet lang field in struct hostapd_lang_string before copying this. Invalid configuration entries in hostapd.conf could have resulted in buffer overflow. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-09-25 12:53:00 +03:00 · 2013-09-25 12:53:00 +03:00 · 04e533e249
commit 04e533e249
parent 742e715b31
1 changed files with 1 additions and 1 deletions
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@ -1299,7 +1299,7 @@ static int parse_lang_string(struct hostapd_lang_string **array,
 	*sep++ = '\0';

 	clen = os_strlen(pos);
-	if (clen < 2)
+	if (clen < 2 || clen > sizeof(ls->lang))
 		return -1;
 	nlen = os_strlen(sep);
 	if (nlen > 252)