Fix language string length validation in parse_lang_string()

The language string length needs to be validated to hit into the
three-octet lang field in struct hostapd_lang_string before copying
this. Invalid configuration entries in hostapd.conf could have resulted
in buffer overflow.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 0b4fd772bbfdc7b7a6b4bcb47797f2331c8d1f30..49b6a413b1d79dc0756a4ef29decb36351a5e479 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -1299,7 +1299,7 @@ static int parse_lang_string(struct hostapd_lang_string **array,
        *sep++ = '\0';
 
        clen = os_strlen(pos);
-       if (clen < 2)
+       if (clen < 2 || clen > sizeof(ls->lang))
                return -1;
        nlen = os_strlen(sep);
        if (nlen > 252)