From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Wed, 25 Sep 2013 09:53:00 +0000 (+0300)
Subject: Fix language string length validation in parse_lang_string()
X-Git-Tag: hostap_2_1~931
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04e533e24944afa9d3bbaf86b2223e184198d603;p=thirdparty%2Fhostap.git

Fix language string length validation in parse_lang_string()

The language string length needs to be validated to hit into the
three-octet lang field in struct hostapd_lang_string before copying
this. Invalid configuration entries in hostapd.conf could have resulted
in buffer overflow.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
---

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 0b4fd772b..49b6a413b 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -1299,7 +1299,7 @@ static int parse_lang_string(struct hostapd_lang_string **array,
 	*sep++ = '\0';
 
 	clen = os_strlen(pos);
-	if (clen < 2)
+	if (clen < 2 || clen > sizeof(ls->lang))
 		return -1;
 	nlen = os_strlen(sep);
 	if (nlen > 252)