Fix off-by-one bounds checking in printf_encode()

The off-by-one error in printf_encode() bounds checking could have
allowed buffer overflow with 0x00 being written to the memory position
following the last octet of the target buffer. Since this output is used
as \0-terminated string, the following operation would likely read past
the buffer as well. Either of these operations can result in the process
dying either due to buffer overflow protection or by a read from
unallowed address.

This has been seen to cause wpa_supplicant crash on OpenBSD when control
interface client attaches (debug print shows the client socket address).
Similarly, it may be possible to trigger the issue in RADIUS/EAP server
implementation within hostapd with a suitable constructed user name.

Signed-off-by: Stuart Henderson <sthen@openbsd.org>
This commit is contained in:
Stuart Henderson 2014-06-02 15:53:23 +03:00 committed by Jouni Malinen
parent 801e117376
commit 5dff6dff63

View file

@ -350,7 +350,7 @@ void printf_encode(char *txt, size_t maxlen, const u8 *data, size_t len)
size_t i; size_t i;
for (i = 0; i < len; i++) { for (i = 0; i < len; i++) {
if (txt + 4 > end) if (txt + 4 >= end)
break; break;
switch (data[i]) { switch (data[i]) {