From 8d68b33e763aced6d419df9f6534760d2c890279 Mon Sep 17 00:00:00 2001 From: Denis Kenzior Date: Sun, 26 Nov 2023 22:38:45 -0600 Subject: [PATCH] netdev: Fix buffer overflow with 32 character ssids ssid is declared as a 32 byte field in handshake_state, hence using it as a string which is assumed to be nul-terminated will fail for SSIDs that are 32 bytes long. Fixes: 1f1478285725 ("wiphy: add _generate_address_from_ssid") Fixes: 5a1b1184fca6 ("netdev: support per-network MAC addresses") --- src/netdev.c | 3 ++- src/wiphy.c | 5 +++-- src/wiphy.h | 3 ++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/netdev.c b/src/netdev.c index 901a4190..208a15b9 100644 --- a/src/netdev.c +++ b/src/netdev.c @@ -3526,7 +3526,8 @@ static int netdev_start_powered_mac_change(struct netdev *netdev) /* No address set in handshake, use per-network MAC generation */ if (l_memeqzero(netdev->handshake->spa, ETH_ALEN)) wiphy_generate_address_from_ssid(netdev->wiphy, - (const char *)netdev->handshake->ssid, + netdev->handshake->ssid, + netdev->handshake->ssid_len, new_addr); else memcpy(new_addr, netdev->handshake->spa, ETH_ALEN); diff --git a/src/wiphy.c b/src/wiphy.c index 570f5415..766df348 100644 --- a/src/wiphy.c +++ b/src/wiphy.c @@ -796,12 +796,13 @@ void wiphy_generate_random_address(struct wiphy *wiphy, uint8_t addr[static 6]) wiphy_address_constrain(wiphy, addr); } -void wiphy_generate_address_from_ssid(struct wiphy *wiphy, const char *ssid, +void wiphy_generate_address_from_ssid(struct wiphy *wiphy, + const uint8_t *ssid, size_t ssid_len, uint8_t addr[static 6]) { struct l_checksum *sha = l_checksum_new(L_CHECKSUM_SHA256); - l_checksum_update(sha, ssid, strlen(ssid)); + l_checksum_update(sha, ssid, ssid_len); l_checksum_update(sha, wiphy->permanent_addr, sizeof(wiphy->permanent_addr)); l_checksum_get_digest(sha, addr, mac_randomize_bytes); diff --git a/src/wiphy.h b/src/wiphy.h index 999d0c57..bc82a007 100644 --- a/src/wiphy.h +++ b/src/wiphy.h @@ -146,7 +146,8 @@ const uint8_t *wiphy_get_ht_capabilities(const struct wiphy *wiphy, enum band_freq band, size_t *size); void wiphy_generate_random_address(struct wiphy *wiphy, uint8_t addr[static 6]); -void wiphy_generate_address_from_ssid(struct wiphy *wiphy, const char *ssid, +void wiphy_generate_address_from_ssid(struct wiphy *wiphy, + const uint8_t *ssid, size_t ssid_len, uint8_t addr[static 6]); int wiphy_estimate_data_rate(struct wiphy *wiphy,