From 3ca1aeb917d1e574e15653c7808a4c600f4a9794 Mon Sep 17 00:00:00 2001
From: Denis Kenzior <denkenz@gmail.com>
Date: Mon, 24 Sep 2018 11:57:56 -0500
Subject: [PATCH] wsc: Don't use wsc_pin_is_checksum_valid on 4 digit PINs

wsc_pin_is_valid allows two types of PINs through:
  1. 4 digit numeric PIN
  2. 8 digit numeric PIN

The current code always calls wsc_pin_is_checksum_valid to determine
whether a DEFAULT or USER_SPECIFIED PIN is used.  However, this function
is not safe to call on 4 digit PINs and causes a buffer overflow.

Add simple checks to treat 4 digit PINs as DEFAULT PINs and do not call
wsc_pin_is_checksum_valid on these.

Reported-By: Matthias Gerstner <matthias.gerstner@suse.de>
---
 src/wsc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wsc.c b/src/wsc.c
index c4eda65e..79a021ad 100644
--- a/src/wsc.c
+++ b/src/wsc.c
@@ -444,7 +444,7 @@ static void wsc_connect(struct wsc *wsc)
 		if (l_dbus_message_get_arguments(wsc->pending, "s", &pin)) {
 			enum wsc_device_password_id dpid;
 
-			if (wsc_pin_is_checksum_valid(pin))
+			if (strlen(pin) == 4 || wsc_pin_is_checksum_valid(pin))
 				dpid = WSC_DEVICE_PASSWORD_ID_DEFAULT;
 			else
 				dpid = WSC_DEVICE_PASSWORD_ID_USER_SPECIFIED;
@@ -958,7 +958,7 @@ static struct l_dbus_message *wsc_start_pin(struct l_dbus *dbus,
 	if (!wsc_pin_is_valid(pin))
 		return dbus_error_invalid_format(message);
 
-	if (wsc_pin_is_checksum_valid(pin))
+	if (strlen(pin) == 4 || wsc_pin_is_checksum_valid(pin))
 		dpid = WSC_DEVICE_PASSWORD_ID_DEFAULT;
 	else
 		dpid = WSC_DEVICE_PASSWORD_ID_USER_SPECIFIED;