From: Jouni Malinen <j@w1.fi>
Date: Mon, 4 May 2020 21:18:29 +0000 (+0300)
Subject: Fix truncated control interface command detection
X-Git-Tag: hostap_2_10~1368
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cbafc8ef4b01b92e97a9a1e2829a0197ee805c73;p=thirdparty%2Fhostap.git

Fix truncated control interface command detection

The recvfrom() calls were supposed to use the full allocated buffer size
(max+1) to match the res > max check.

Fixes: 96b6dd21a022 ("Increase wpa_supplicant control interface buffer size")
Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/wpa_supplicant/ctrl_iface_unix.c b/wpa_supplicant/ctrl_iface_unix.c
index 35a38c95f..953fd2ccf 100644
--- a/wpa_supplicant/ctrl_iface_unix.c
+++ b/wpa_supplicant/ctrl_iface_unix.c
@@ -142,7 +142,7 @@ static void wpa_supplicant_ctrl_iface_receive(int sock, void *eloop_ctx,
 	buf = os_malloc(CTRL_IFACE_MAX_LEN + 1);
 	if (!buf)
 		return;
-	res = recvfrom(sock, buf, CTRL_IFACE_MAX_LEN, 0,
+	res = recvfrom(sock, buf, CTRL_IFACE_MAX_LEN + 1, 0,
 		       (struct sockaddr *) &from, &fromlen);
 	if (res < 0) {
 		wpa_printf(MSG_ERROR, "recvfrom(ctrl_iface): %s",
@@ -1066,7 +1066,7 @@ static void wpa_supplicant_global_ctrl_iface_receive(int sock, void *eloop_ctx,
 	buf = os_malloc(CTRL_IFACE_MAX_LEN + 1);
 	if (!buf)
 		return;
-	res = recvfrom(sock, buf, CTRL_IFACE_MAX_LEN, 0,
+	res = recvfrom(sock, buf, CTRL_IFACE_MAX_LEN + 1, 0,
 		       (struct sockaddr *) &from, &fromlen);
 	if (res < 0) {
 		wpa_printf(MSG_ERROR, "recvfrom(ctrl_iface): %s",