drivers: eswifi: shell: Fix possible overflow

Limit the copied data to the buffer's size. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
pengxy · Oct 10, 2023 · ea109f6 · ea109f6
1 parent 2504329
commit ea109f6
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/drivers/wifi/eswifi/eswifi_shell.c b/drivers/wifi/eswifi/eswifi_shell.c
@@ -25,6 +25,7 @@ static int eswifi_shell_atcmd(const struct shell *sh, size_t argc,
 			      char **argv)
 {
 	int i;
+	size_t len = 0;
 
 	if (eswifi == NULL) {
 		shell_print(sh, "no eswifi device registered");
@@ -40,9 +41,16 @@ static int eswifi_shell_atcmd(const struct shell *sh, size_t argc,
 
 	memset(eswifi->buf, 0, sizeof(eswifi->buf));
 	for (i = 1; i < argc; i++) {
-		strcat(eswifi->buf, argv[i]);
+		size_t argv_len = strlen(argv[i]);
+
+		if ((len + argv_len) >= sizeof(eswifi->buf) - 1) {
+			break;
+		}
+
+		memcpy(eswifi->buf + len, argv[i], argv_len);
+		len += argv_len;
 	}
-	strcat(eswifi->buf, "\r");
+	eswifi->buf[len] = '\r';
 
 	shell_print(sh, "> %s", eswifi->buf);
 	eswifi_at_cmd(eswifi, eswifi->buf);