[PATCH 03/20] AP: Fix heap-buffer-overflow when printing STA identity

[Andrei Otcheretianski]

From: Ilan Peer <ilan.peer at intel.com>

The EAPOL state machine identity is not guaranteed to be NULL
terminated, e.g., when set from PMKSA cache data. Fix
ieee802_1x_get_mib_sta() to copy the identity into a NULL terminated
buffer before using it as a printf string argument.

Signed-off-by: Ilan Peer <ilan.peer at intel.com>
---
 src/ap/ieee802_1x.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 96a8454ea8..ed68c6d952 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -2995,14 +2995,20 @@ int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
 
 	/* dot1xAuthSessionStatsTable */
 	os_reltime_age(&sta->acct_session_start, &diff);
-	if (sm->eap && !sm->identity) {
-		const u8 *id;
-		size_t id_len;
-
-		id = eap_get_identity(sm->eap, &id_len);
-		if (id)
-			identity_buf = dup_binstr(id, id_len);
+	if (sm->eap) {
+		if (!sm->identity) {
+			const u8 *id;
+			size_t id_len;
+
+			id = eap_get_identity(sm->eap, &id_len);
+			if (id)
+				identity_buf = dup_binstr(id, id_len);
+		} else {
+			identity_buf = dup_binstr(sm->identity,
+						  sm->identity_len);
+		}
 	}
+
 	ret = os_snprintf(buf + len, buflen - len,
 			  /* TODO: dot1xAuthSessionOctetsRx */
 			  /* TODO: dot1xAuthSessionOctetsTx */
@@ -3018,8 +3024,7 @@ int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
 				   wpa_auth_sta_key_mgmt(sta->wpa_sm))) ?
 			  1 : 2,
 			  (unsigned int) diff.sec,
-			  sm->identity ? (char *) sm->identity :
-					 (identity_buf ? identity_buf : "N/A"));
+			  identity_buf ? identity_buf : "N/A");
 	os_free(identity_buf);
 	if (os_snprintf_error(buflen - len, ret))
 		return len;
-- 
2.53.0