| Message ID | 1392029710-1169-8-git-send-email-ilan.peer@intel.com |
|---|---|
| State | Accepted |
| Headers | show |
Hmm, isn't it allowed to pass NULL to the %s format specifier of printf/snprintf and friends? Or is it a GCC feature that it prints the string "(null)" then? That is perfectly "valgrind-clean".
On Mon, 2014-02-10 at 12:44 +0100, Holger Schurig wrote: > Hmm, isn't it allowed to pass NULL to the %s format specifier of > printf/snprintf and friends? Or is it a GCC feature that it prints > the string "(null)" then? That is perfectly "valgrind-clean". I was wondering the same, but POSIX (man 3p printf, if you have it installed) doesn't seem to talk about passing NULL to %s. johannes
> -----Original Message----- > From: Johannes Berg [mailto:johannes@sipsolutions.net] > Sent: Monday, February 10, 2014 13:55 > To: Holger Schurig > Cc: Peer, Ilan; Lifshitz, Eytan; hostap@lists.shmoo.com > Subject: Re: [PATCH 7/7] wpa_supplicant: fix null dereference in > ieee802_1x_get_mib_sta() > > On Mon, 2014-02-10 at 12:44 +0100, Holger Schurig wrote: > > Hmm, isn't it allowed to pass NULL to the %s format specifier of > > printf/snprintf and friends? Or is it a GCC feature that it prints > > the string "(null)" then? That is perfectly "valgrind-clean". > > I was wondering the same, but POSIX (man 3p printf, if you have it > installed) doesn't seem to talk about passing NULL to %s. > Quotation from: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf about the s modifier: "If no l length modiļ¬er is present, the argument shall be a pointer to the initial element of an array of character type. Characters from the array are written up to (but not including) the terminating null character ..." As far as I understand the above, passing the NULL pointer is not valid ... Regards, Ilan.
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index 49b30e4..21f815a 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -1953,6 +1953,8 @@ int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, int len = 0, ret; struct eapol_state_machine *sm = sta->eapol_sm; struct os_reltime diff; + const char *name1; + const char *name2; if (sm == NULL) return 0; @@ -2088,13 +2090,15 @@ int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, return len; len += ret; + name1 = eap_server_get_name(0, sm->eap_type_authsrv); + name2 = eap_server_get_name(0, sm->eap_type_supp); ret = os_snprintf(buf + len, buflen - len, "last_eap_type_as=%d (%s)\n" "last_eap_type_sta=%d (%s)\n", sm->eap_type_authsrv, - eap_server_get_name(0, sm->eap_type_authsrv), + name1 ? name1 : "", sm->eap_type_supp, - eap_server_get_name(0, sm->eap_type_supp)); + name2 ? name2 : ""); if (ret < 0 || (size_t) ret >= buflen - len) return len; len += ret;
From: Eytan Lifshitz <eytan.lifshitz@intel.com> In function ieee802_1x_get_mib_sta(), eap_server_get_name() may return null, and it will be dereference immidiate by os_snprintf(). Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com> --- src/ap/ieee802_1x.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)