diff --git a/src/scan.c b/src/scan.c index add4eb50410656e26e074756854fe313da95bfc9..9d43e74391410f177b7bbdffb77ed2e524c23c3b 100644 --- a/src/scan.c +++ b/src/scan.c @@ -322,7 +322,7 @@ int add_scanres_element(struct controller *c, uint8_t len = 0, ssidlen; uint8_t info = 0x00; uint8_t bw_len; - char *endptr = NULL; + char buf[6] = {0}; nbr = calloc(1, sizeof(*nbr)); if (!nbr) @@ -341,11 +341,19 @@ int add_scanres_element(struct controller *c, nbr->rssi = rcpi_to_rssi(tv_data[offset]); offset++; bw_len = tv_data[offset++]; - errno = 0; - nbr->bw = strtol((char *)&tv_data[offset], &endptr, 10); - if (errno || *endptr != '\0') { - warn("%s: Error parsing bw value: %s\n", - __func__, (char *)&tv_data[offset]); + if (bw_len > sizeof(buf)) { + warn("%s: bw_len %d is too long\n", __func__, bw_len); + goto error; + } else { + char *endptr = NULL; + + errno = 0; + memcpy(buf, &tv_data[offset], bw_len); + nbr->bw = strtol(buf, &endptr, 10); + if (errno || *endptr != '\0') { + warn("%s: Error parsing bw value: %s\n", + __func__, (char *)&tv_data[offset]); + } } offset += bw_len; info = tv_data[offset];