From 3f3ce0571c3d1e71ef010d9d19c1697bd9740d59 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 8 May 2022 16:55:45 +0300 Subject: [PATCH] Check sscanf() return value in TWT_SETUP parsing Reject invalid values instead of proceeding. Signed-off-by: Jouni Malinen --- wpa_supplicant/ctrl_iface.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c index 3d8e6630b..ac337e0f5 100644 --- a/wpa_supplicant/ctrl_iface.c +++ b/wpa_supplicant/ctrl_iface.c @@ -10027,8 +10027,9 @@ static int wpas_ctrl_iface_send_twt_setup(struct wpa_supplicant *wpa_s, setup_cmd = atoi(tok_s + os_strlen(" setup_cmd=")); tok_s = os_strstr(cmd, " twt="); - if (tok_s) - sscanf(tok_s + os_strlen(" twt="), "%llu", &twt); + if (tok_s && + sscanf(tok_s + os_strlen(" twt="), "%llu", &twt) != 1) + return -1; tok_s = os_strstr(cmd, " requestor="); if (tok_s) -- 2.47.2