aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2013-10-26 09:25:20 (GMT)
committerJouni Malinen <j@w1.fi>2013-10-26 12:55:39 (GMT)
commit0f0120148ac613fb9b570b8686c7e8565fa6503a (patch)
tree6be6a9b26d293c75ec7543d6273a25e1d83c4ce4
parentf5eb9da3043f66e56fab1905b8ab29ecf37233a2 (diff)
downloadhostap-0f0120148ac613fb9b570b8686c7e8565fa6503a.zip
hostap-0f0120148ac613fb9b570b8686c7e8565fa6503a.tar.gz
hostap-0f0120148ac613fb9b570b8686c7e8565fa6503a.tar.bz2
Verify that readlink() did not truncate result
linux_br_get() was forcing null termination on the buffer, but did not check whether the string could have been truncated. Make this more strict by rejecting any truncation case. Signed-hostap: Jouni Malinen <j@w1.fi>
-rw-r--r--src/drivers/linux_ioctl.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/src/drivers/linux_ioctl.c b/src/drivers/linux_ioctl.c
index 4380428..837971d 100644
--- a/src/drivers/linux_ioctl.c
+++ b/src/drivers/linux_ioctl.c
@@ -204,11 +204,14 @@ int linux_br_del_if(int sock, const char *brname, const char *ifname)
int linux_br_get(char *brname, const char *ifname)
{
char path[128], brlink[128], *pos;
+ ssize_t res;
+
os_snprintf(path, sizeof(path), "/sys/class/net/%s/brport/bridge",
ifname);
- os_memset(brlink, 0, sizeof(brlink));
- if (readlink(path, brlink, sizeof(brlink) - 1) < 0)
+ res = readlink(path, brlink, sizeof(brlink));
+ if (res < 0 || (size_t) res >= sizeof(brlink))
return -1;
+ brlink[res] = '\0';
pos = os_strrchr(brlink, '/');
if (pos == NULL)
return -1;