Skip to content

drivers/atwinc15x0: fix a potential buffer overflow on stack#22041

Merged
crasbe merged 1 commit intoRIOT-OS:masterfrom
gschorcht:drivers/atwinc15x0/fix_buffer_overflow_set_current_ssid
Feb 6, 2026
Merged

drivers/atwinc15x0: fix a potential buffer overflow on stack#22041
crasbe merged 1 commit intoRIOT-OS:masterfrom
gschorcht:drivers/atwinc15x0/fix_buffer_overflow_set_current_ssid

Conversation

@gschorcht
Copy link
Copy Markdown
Contributor

@gschorcht gschorcht commented Feb 4, 2026

Contribution description

The PR fixes a potential buffer overflow on stack described in GHSA-gwgv-6976-hxrg.

To prevent a buffer overflow if a BSSID with an invalid size is used, the strncpy function is used instead of strcpy for bounds checking in _atwinc15x0_sta_set_current_ssid.

Testing procedure

t.b.d.

Issues/PRs references

GHSA-gwgv-6976-hxrg

@github-actions github-actions bot added the Area: drivers Area: Device drivers label Feb 4, 2026
@gschorcht gschorcht added Type: bug The issue reports a bug / The PR fixes a bug (including spelling errors) CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Process: needs backport Integration Process: The PR is required to be backported to a release or feature branch labels Feb 4, 2026
@riot-ci
Copy link
Copy Markdown

riot-ci commented Feb 4, 2026
edited
Loading

Murdock results

✔️ PASSED

5209c1b drivers/atwinc15x0: use strncpy in _atwinc15x0_sta_set_current_ssid

Success Failures Total Runtime
11004 0 11005 09m:08s

Artifacts

@crasbe
Copy link
Copy Markdown
Contributor

crasbe commented Feb 4, 2026

I wonder if this couldn't cause an additional problem if ARRAY_SIZE(ssid) is smaller than ARRAY_SIZE(atwinc15x0->ssid). Then we'd copy more bytes than we should.

Something like MIN(ARRAY_SIZE(ssid), ARRAY_SIZE(atwinc15x5->ssid))-1 would be possible
But I guess we just don't know the length of ssid at compile time?

From what I found the length for ssid is either M2M_MAX_SSID_LEN or WIFI_SSID_LEN_MAX + 1, which are both 33.

@crasbe crasbe mentioned this pull request Feb 4, 2026
Merged
@leandrolanzieri leandrolanzieri added this to the Release 2026.01 milestone Feb 5, 2026
benpicco
benpicco reviewed Feb 5, 2026
View reviewed changes
@gschorcht
Copy link
Copy Markdown
Contributor Author

gschorcht commented Feb 5, 2026

I'm trying to test the change with a feather-m0-wifi and a arduino-mkr1000 as well. For both boards iw <iface> scan command doesn't work, neither with this change nor in current master not in release 2023.10 🤔 I have no idea what I'm doing wrong. It just hangs after the scan and the list of APs is empty:

> iw 6 scan
 SSID                            | SEC             | RSSI  | CHANNEL
---------------------------------+-----------------+-------+--------

@benpicco benpicco requested a review from fabian18 February 5, 2026 19:38
@gschorcht
drivers/atwinc15x0: use strncpy in _atwinc15x0_sta_set_current_ssid
5209c1b 
`strncpy` is used instead of `strcpy` in `_atwinc15x0_sta_set_current_ssid` to prevent buffer overflows on the stack when a BSSID with an invalid size is published and used.
@gschorcht gschorcht force-pushed the drivers/atwinc15x0/fix_buffer_overflow_set_current_ssid branch from c37a495 to 5209c1b Compare February 6, 2026 16:48
@crasbe crasbe added this pull request to the merge queue Feb 6, 2026
Merged via the queue into RIOT-OS:master with commit bd0794b Feb 6, 2026
25 checks passed
@gschorcht gschorcht mentioned this pull request Feb 7, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benpicco benpicco benpicco approved these changes

@fabian18 fabian18 Awaiting requested review from fabian18

Assignees

No one assigned

Labels

Area: drivers Area: Device drivers CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Process: needs backport Integration Process: The PR is required to be backported to a release or feature branch Type: bug The issue reports a bug / The PR fixes a bug (including spelling errors)

Projects

None yet

Milestone

Release 2026.01

Development

Successfully merging this pull request may close these issues.

5 participants

@gschorcht @riot-ci @crasbe @benpicco @leandrolanzieri