From da3239c3365941698966fe02bebc4551cfe030bb Mon Sep 17 00:00:00 2001 From: Sagar Bijwe Date: Wed, 19 Jun 2019 19:33:34 +0530 Subject: [PATCH] wpa_supplicant: Fix sprintf security bugs. Revert back to using os_snprintf instead of sprintf. Closes WIFI-624 --- components/wpa_supplicant/port/include/os.h | 2 +- components/wpa_supplicant/src/wpa2/eap_peer/eap_tls_common.c | 3 +-- components/wpa_supplicant/src/wpa2/tls/asn1.c | 3 +-- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/components/wpa_supplicant/port/include/os.h b/components/wpa_supplicant/port/include/os.h index 48f7ab85e4..0028c21e9c 100644 --- a/components/wpa_supplicant/port/include/os.h +++ b/components/wpa_supplicant/port/include/os.h @@ -270,7 +270,7 @@ char * ets_strdup(const char *s); #ifdef _MSC_VER #define os_snprintf _snprintf #else -#define os_snprintf vsnprintf +#define os_snprintf snprintf #endif #endif diff --git a/components/wpa_supplicant/src/wpa2/eap_peer/eap_tls_common.c b/components/wpa_supplicant/src/wpa2/eap_peer/eap_tls_common.c index 2c97e6c0f0..5766af8037 100644 --- a/components/wpa_supplicant/src/wpa2/eap_peer/eap_tls_common.c +++ b/components/wpa_supplicant/src/wpa2/eap_peer/eap_tls_common.c @@ -732,8 +732,7 @@ int eap_peer_tls_status(struct eap_sm *sm, struct eap_ssl_data *data, if (tls_get_cipher(data->ssl_ctx, data->conn, name, sizeof(name)) == 0) { - //ret = os_snprintf(buf + len, buflen - len, - ret = sprintf(buf + len, + ret = os_snprintf(buf + len, buflen - len, "EAP TLS cipher=%s\n", name); if (ret < 0 || (size_t) ret >= buflen - len) return len; diff --git a/components/wpa_supplicant/src/wpa2/tls/asn1.c b/components/wpa_supplicant/src/wpa2/tls/asn1.c index ced8018464..2037d827c5 100644 --- a/components/wpa_supplicant/src/wpa2/tls/asn1.c +++ b/components/wpa_supplicant/src/wpa2/tls/asn1.c @@ -152,8 +152,7 @@ void asn1_oid_to_str(struct asn1_oid *oid, char *buf, size_t len) buf[0] = '\0'; for (i = 0; i < oid->len; i++) { - //ret = os_snprintf(pos, buf + len - pos, - ret = sprintf(pos, + ret = os_snprintf(pos, buf + len - pos, "%s%lu", i == 0 ? "" : ".", oid->oid[i]); if (ret < 0 || ret >= buf + len - pos)