Off-by-one error in drivers?

Jouni Malinen j
Sun Nov 2 19:03:36 PST 2008


On Sun, Nov 02, 2008 at 11:08:34PM +0100, Jouke Witteveen wrote:

> If I am right the following wpa_supplicant drivers contain an OBOE
> concerning IFNAMSIZ:

> They all have an ifname c-string of IFNAMSIZ + 1 bytes as to fit an
> interfacename of IFNAMSIZ characters. They then go on to use
> os_strlcpy to copy at most IFNAMSIZ characters from the ifname to some
> other variable. Not only does it look like the null character is not
> accounted for, it also seems to neglect that strlcpy _will_ write the
> terminating character. Because of this last caveat an interfacename of
> IFNAMSIZ characters gets truncated (the last character is turned into
> '\0').

This is actually by design.. In theory, it could be possible to use
IFNAMSIZ characters long ifname, but there is (or at least used to be)
number of cases where Linux kernel did not exactly like this (missing
null termination). Consequently, wpa_supplicant is prepared for IFNAMSIZ
characters long ifname (with +1 to make sure drv->ifname is always null
terminated), but it does not currently allow ioctls with ifname that
would not include null termination in ifreq/iwreq.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list