Fix off-by-one bounds checking in printf_encode()

The off-by-one error in printf_encode() bounds checking could have
allowed buffer overflow with 0x00 being written to the memory position
following the last octet of the target buffer. Since this output is used
as \0-terminated string, the following operation would likely read past
the buffer as well. Either of these operations can result in the process
dying either due to buffer overflow protection or by a read from
unallowed address.

This has been seen to cause wpa_supplicant crash on OpenBSD when control
interface client attaches (debug print shows the client socket address).
Similarly, it may be possible to trigger the issue in RADIUS/EAP server
implementation within hostapd with a suitable constructed user name.

Signed-off-by: Stuart Henderson <sthen@openbsd.org>

diff --git a/src/utils/common.c b/src/utils/common.c
index 39751d408dfcbee6df2f0fde891d868593fbffe9..7dc4797d1bf6ce247552a3313959e3f4d45f6996 100644 (file)
--- a/src/utils/common.c
+++ b/src/utils/common.c
@@ -350,7 +350,7 @@ void printf_encode(char *txt, size_t maxlen, const u8 *data, size_t len)
        size_t i;
 
        for (i = 0; i < len; i++) {
-               if (txt + 4 > end)
+               if (txt + 4 >= end)
                        break;
 
                switch (data[i]) {