[PATCH] P2P: Handle possible long P2P Device interface name

Jouni Malinen j at w1.fi
Sat Apr 6 07:11:45 PDT 2019


On Wed, Apr 03, 2019 at 06:17:11PM +0300, Andrei Otcheretianski wrote:
> The way that the P2P Device interface name was constructed, might
> result with an interface name that exceeds the maximal allowed
> interface name length (IFNAMSZ).
> 
> Fix this by properly limiting the created interface name length.

How is this supposed to work and guarantee that the truncated interface
name would be unique?

> diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c
> @@ -3794,14 +3794,21 @@ int wpas_p2p_add_p2pdev_interface(struct wpa_supplicant *wpa_s,
>  {
>  	struct wpa_interface iface;
>  	struct wpa_supplicant *p2pdev_wpa_s;
> -	char ifname[100];
> -	char force_name[100];
> +	char ifname[IFNAMSIZ];
> +	char force_name[IFNAMSIZ];

IFNAMSIZ as the array length would mean that the array can hold only
IFNAMSIZ-1 character long name, so this would be truncating to shorter
than IFNAMSIZ characters..

>  	ret = os_snprintf(ifname, sizeof(ifname), P2P_MGMT_DEVICE_PREFIX "%s",
>  			  wpa_s->ifname);
> -	if (os_snprintf_error(sizeof(ifname), ret))
> +
> +	if (ret >= IFNAMSIZ) {
> +		wpa_printf(MSG_WARNING,
> +			   "P2P: P2P Device interface name truncated=%s",
> +			   ifname);
> +	} else if (ret < 0) {
>  		return -1;
> +	}

So what if snprintf return IFNAMSIZ? Wouldn't that leave ifname[]
without nul termination here? And that could result in reading beyond
the end of the buffer when using this string, e.g., in that wpa_printf()
print.
 
-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list