@@ -302,6 +302,10 @@ static esp_err_t esp_dpp_rx_peer_disc_resp(struct action_rx_param *rx_param)
302302 return ESP_ERR_INVALID_ARG ;
303303 }
304304
305+ if (rx_param -> vendor_data_len < 2 ) {
306+ wpa_printf (MSG_INFO , "DPP: Too short vendor specific data" );
307+ return ESP_FAIL ;
308+ }
305309 size_t len = rx_param -> vendor_data_len - 2 ;
306310
307311 buf = rx_param -> action_frm -> u .public_action .v .pa_vendor_spec .vendor_data ;
@@ -437,25 +441,36 @@ static void gas_query_resp_rx(struct action_rx_param *rx_param)
437441{
438442 struct dpp_authentication * auth = s_dpp_ctx .dpp_auth ;
439443 uint8_t * pos = rx_param -> action_frm -> u .public_action .v .pa_gas_resp .data ;
440- uint8_t * resp = & pos [10 ];
444+ uint8_t * resp = & pos [10 ]; /* first byte of DPP attributes */
445+ size_t vendor_len = rx_param -> vendor_data_len ;
441446 int i , res ;
442447
443- if ( pos [ 1 ] == WLAN_EID_VENDOR_SPECIFIC && pos [ 2 ] == 5 &&
444- WPA_GET_BE24 ( & pos [3 ]) == OUI_WFA && pos [6 ] == 0x1a && pos [ 7 ] == 1 && auth ) {
445- if ( dpp_conf_resp_rx ( auth , resp , rx_param -> vendor_data_len - 2 ) < 0 ) {
446- wpa_printf ( MSG_DEBUG , "DPP: Configuration attempt failed" );
447- goto fail ;
448- }
448+ /* Basic structural checks on the Advertisement Protocol payload */
449+ if (!( pos [1 ] == WLAN_EID_VENDOR_SPECIFIC && pos [2 ] == 5 &&
450+ WPA_GET_BE24 ( & pos [ 3 ]) == OUI_WFA && pos [ 6 ] == 0x1a && pos [ 7 ] == 1 && auth ) ) {
451+ wpa_hexdump ( MSG_INFO , "DPP: Failed, Configuration Response adv_proto" , pos , 8 );
452+ return ;
453+ }
449454
450- for (i = 0 ; i < auth -> num_conf_obj ; i ++ ) {
451- res = esp_dpp_handle_config_obj (auth , & auth -> conf_obj [i ]);
452- if (res < 0 ) {
453- goto fail ;
454- }
455+ /* DPP attribute length = vendor_data_len - 2, caller validated vendor_data_len
456+ * (we skip the 2-byte length field and pass only the attributes). */
457+ size_t dpp_data_len = vendor_len - 2 ;
458+
459+ if (dpp_conf_resp_rx (auth , resp , dpp_data_len ) < 0 ) {
460+ wpa_printf (MSG_INFO , "DPP: Configuration attempt failed" );
461+ goto fail ;
462+ }
463+
464+ for (i = 0 ; i < auth -> num_conf_obj ; i ++ ) {
465+ res = esp_dpp_handle_config_obj (auth , & auth -> conf_obj [i ]);
466+ if (res < 0 ) {
467+ wpa_printf (MSG_INFO , "DPP: Configuration parsing failed" );
468+ goto fail ;
455469 }
456470 }
457471
458472 return ;
473+
459474fail :
460475 esp_dpp_call_cb (ESP_SUPP_DPP_FAIL , (void * )ESP_ERR_DPP_FAILURE );
461476}
@@ -694,11 +709,17 @@ static char *esp_dpp_parse_chan_list(const char *chan_list)
694709 }
695710
696711 char * uri_ptr = uri_channels ;
712+ size_t current_offset = 0 ; // Use an offset to track current position
697713 params -> num_chan = 0 ;
698714
699715 /* Append " chan=" at the beginning of the URI */
700- strcpy (uri_ptr , " chan=" );
701- uri_ptr += strlen (" chan=" );
716+ int written = os_snprintf (uri_ptr + current_offset , max_uri_len - current_offset , " chan=" );
717+ if (written < 0 || written >= max_uri_len - current_offset ) { // Check for error or truncation
718+ wpa_printf (MSG_ERROR , "DPP: URI buffer too small for initial string" );
719+ os_free (uri_channels );
720+ return NULL ;
721+ }
722+ current_offset += written ;
702723
703724 while (* chan_list && params -> num_chan < ESP_DPP_MAX_CHAN_COUNT ) {
704725 int channel = 0 ;
@@ -733,16 +754,23 @@ static char *esp_dpp_parse_chan_list(const char *chan_list)
733754 /* Add the valid channel to the list */
734755 params -> chan_list [params -> num_chan ++ ] = channel ;
735756
736- /* Check if there's space left in uri_channels buffer */
737- size_t remaining_space = max_uri_len - (uri_ptr - uri_channels );
738- if (remaining_space <= 8 ) { // Oper class + "/" + channel + "," + null terminator
739- wpa_printf (MSG_ERROR , "DPP: Not enough space in URI buffer" );
757+ // Calculate space needed for current channel string (e.g., "81/1,")
758+ int needed_for_channel = os_snprintf (NULL , 0 , "%d/%d," , oper_class , channel );
759+
760+ if (current_offset + needed_for_channel + 1 > max_uri_len ) { // +1 for null terminator
761+ wpa_printf (MSG_ERROR , "DPP: Not enough space in URI buffer for channel %d" , channel );
740762 os_free (uri_channels );
741763 return NULL ;
742764 }
743765
744766 /* Append the operating class and channel to the URI */
745- uri_ptr += sprintf (uri_ptr , "%d/%d," , oper_class , channel );
767+ written = os_snprintf (uri_ptr + current_offset , max_uri_len - current_offset , "%d/%d," , oper_class , channel );
768+ if (written < 0 || written >= max_uri_len - current_offset ) { // Check for error or truncation
769+ wpa_printf (MSG_ERROR , "DPP: Error writing channel %d to URI buffer" , channel );
770+ os_free (uri_channels );
771+ return NULL ;
772+ }
773+ current_offset += written ;
746774
747775 /* Skip any delimiters (comma or space) */
748776 while (* chan_list == ',' || * chan_list == ' ' ) {
@@ -757,8 +785,8 @@ static char *esp_dpp_parse_chan_list(const char *chan_list)
757785 }
758786
759787 /* Replace the last comma with a space if there was content added */
760- if (uri_ptr > uri_channels && * ( uri_ptr - 1 ) == ',' ) {
761- * ( uri_ptr - 1 ) = ' ' ;
788+ if (current_offset > strlen ( " chan=" ) && uri_ptr [ current_offset - 1 ] == ',' ) {
789+ uri_ptr [ current_offset - 1 ] = ' ' ;
762790 }
763791
764792 return uri_channels ;
0 commit comments