[noup] zephyr: Fix ctrl msg buffer overflow

In the enterprise case, the ctrl msg length may exceeds MAX_CTRL_MSG_LEN, then the memcpy in wpa_supplicant_ctrl_iface_send() will lead to memory overflow. Directly drop this kind of large msg. Signed-off-by: Maochen Wang <[email protected]>
bjarki-andreasen · May 31, 2024 · 52dd7f6 · 52dd7f6
1 parent d449aae
commit 52dd7f6
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/wpa_supplicant/ctrl_iface_zephyr.c b/wpa_supplicant/ctrl_iface_zephyr.c
@@ -68,6 +68,11 @@ static void wpa_supplicant_ctrl_iface_send(struct wpa_supplicant *wpa_s,
 		os_snprintf(levelstr, sizeof(levelstr), "<%d>", level);
 
 	idx = 0;
+	if (len > MAX_CTRL_MSG_LEN) {
+		wpa_printf(MSG_ERROR, "CTRL_MSG too long");
+		return;
+	}
+
 	while (dst) {
 		next = dst->next;
 		if (level >= dst->debug_level) {