wifi: Don't read beyond the buffer boundry

This is the same as c6a713a541b03b611fc36aa33c723b161e80dcac but in the duplicated code in a different modules.
author: Zeeshan Ali <zeeshanak@gnome.org> 2019-09-27 13:09:04 +0200
committer: Zeeshan Ali <zeeshanak@gnome.org> 2019-09-30 09:49:11 +0200
commit: b858035d2c7e88b8a30219545a02fd92743272c4 (patch)
tree: 4b6e9d1223bce329803463964c48fb3adb541822
parent: a41088422db4530904e4a61f3690c108ba4ac684 (diff)
1 files changed, 11 insertions, 6 deletions
diff --git a/src/gclue-wifi.c b/src/gclue-wifi.c
index 4dbfc7c..946cb81 100644
--- a/src/gclue-wifi.c
+++ b/src/gclue-wifi.c
@@ -232,15 +232,20 @@ get_bssid_from_bss (WPABSS *bss)
         guint raw_len, len, i, j;
 
         variant = wpa_bss_get_bssid (bss);
+        if (variant == NULL)
+                return NULL;
 
         raw_bssid = variant_to_string (variant, &raw_len);
-        len = raw_len * 2 + raw_len;
+        if (raw_bssid == NULL)
+                return NULL;
+
+        len = raw_len * 2;
         bssid = g_malloc (len);
-        for (i = 0, j = 0; i < len; i = i + 3, j++)
-                g_snprintf (bssid + i,
-                            4,
-                           "%02x:",
-                           (unsigned char) raw_bssid[j]);
+        for (i = 0, j = 0; i < len - 3; i = i + 2, j++) {
+                unsigned char c = (unsigned char) raw_bssid[j];
+
+                g_snprintf (bssid + i, 3, "%02x:", c);
+        }
         bssid[len - 1] = '\0';
 
         return bssid;
author	Zeeshan Ali <zeeshanak@gnome.org>	2019-09-27 13:09:04 +0200
committer	Zeeshan Ali <zeeshanak@gnome.org>	2019-09-30 09:49:11 +0200
commit	b858035d2c7e88b8a30219545a02fd92743272c4 (patch)
tree	4b6e9d1223bce329803463964c48fb3adb541822
parent	a41088422db4530904e4a61f3690c108ba4ac684 (diff)