drivers: wifi: eswifi: Fix parsing buffer-overflows

Loic Poulain · jukkar · commit 40e2d94bc88a · 2020-07-30T16:35:58.000+03:00
There are possible buffer overflows when parsing the ip address and
SSID. Ensure that we never overwrite the ip and SSID buffers.

Signed-off-by: Loic Poulain &lt;loic.poulain@linaro.org&gt;
diff --git a/drivers/wifi/eswifi/eswifi_core.c b/drivers/wifi/eswifi/eswifi_core.c
@@ -52,29 +52,30 @@ static int eswifi_reset(struct eswifi_dev *eswifi)
 
 static inline int __parse_ssid(char *str, char *ssid)
 {
-	/* fnt => '"SSID"' */
+	int i = 0;
 
-	if (!*str || (*str != '"')) {
-		return -EINVAL;
-	}
+	/* fmt => "SSID" */
 
-	str++;
-	while (*str && (*str != '"')) {
-		*ssid++ = *str++;
+	if (*str != '"') {
+		return 0;
 	}
+	str++;
 
-	*ssid = '\0';
+	while (*str && (*str != '"') && i < WIFI_SSID_MAX_LEN) {
+		ssid[i++] = *str++;
+	}
 
 	if (*str != '"') {
-		return -EINVAL;
+		return 0;
 	}
 
-	return -EINVAL;
+	return i;
 }
 
 static void __parse_scan_res(char *str, struct wifi_scan_result *res)
 {
 	int field = 0;
+	int ret;
 
 	/* fmt => #001,"SSID",MACADDR,RSSI,BITRATE,MODE,SECURITY,BAND,CHANNEL */
 
@@ -90,8 +91,7 @@ static void __parse_scan_res(char *str, struct wifi_scan_result *res)
 
 		switch (++field) {
 		case 1: /* SSID */
-			__parse_ssid(str, res->ssid);
-			res->ssid_length = strlen(res->ssid);
+			res->ssid_length = __parse_ssid(str, res->ssid);
 			str += res->ssid_length;
 			break;
 		case 2: /* mac addr */
@@ -180,7 +180,7 @@ static int __parse_ipv4_address(char *str, char *ssid, uint8_t ip[4])
 	unsigned int byte = -1;
 
 	/* fmt => [JOIN   ] SSID,192.168.2.18,0,0 */
-	while (*str) {
+	while (*str && byte < 4) {
 		if (byte == -1) {
 			if (!strncmp(str, ssid, strlen(ssid))) {
 				byte = 0U;
