From d14a398fa4f5c85eb2af60de148993f7095ec518 Mon Sep 17 00:00:00 2001
From: Flavio Ceolin <flavio.ceolin@intel.com>
Date: Mon, 25 Sep 2023 15:37:57 -0700
Subject: [PATCH 1/2] drivers: eswifi: Fix possible buffer overflow

Limit the number of the copied ssid to WIFI_SSID_MAX_LEN
and avoid a possible one byte overflow.

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
---
 drivers/wifi/eswifi/eswifi_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/wifi/eswifi/eswifi_core.c b/drivers/wifi/eswifi/eswifi_core.c
index 83ef83935527ae..f4794bbb8b32fd 100644
--- a/drivers/wifi/eswifi/eswifi_core.c
+++ b/drivers/wifi/eswifi/eswifi_core.c
@@ -490,8 +490,8 @@ int eswifi_mgmt_iface_status(const struct device *dev,
 	}
 
 	status->state = WIFI_STATE_COMPLETED;
-	strcpy(status->ssid, sta->ssid);
-	status->ssid_len = strlen(sta->ssid);
+	status->ssid_len = strnlen(sta->ssid, WIFI_SSID_MAX_LEN);
+	strncpy(status->ssid, sta->ssid, sta->ssid_len);
 	status->band = WIFI_FREQ_BAND_2_4_GHZ;
 	status->channel = 0;
 

From ec9f542a78a15598f21579c396bd8b79b5d5dd2d Mon Sep 17 00:00:00 2001
From: Flavio Ceolin <flavio.ceolin@intel.com>
Date: Mon, 25 Sep 2023 15:44:36 -0700
Subject: [PATCH 2/2] drivers: eswifi: shell: Fix possible overflow

Limit the copied data to the buffer's size.

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
---
 drivers/wifi/eswifi/eswifi_shell.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/wifi/eswifi/eswifi_shell.c b/drivers/wifi/eswifi/eswifi_shell.c
index ee5cf4a15ba155..de122d4ef1f769 100644
--- a/drivers/wifi/eswifi/eswifi_shell.c
+++ b/drivers/wifi/eswifi/eswifi_shell.c
@@ -25,6 +25,7 @@ static int eswifi_shell_atcmd(const struct shell *sh, size_t argc,
 			      char **argv)
 {
 	int i;
+	size_t len = 0;
 
 	if (eswifi == NULL) {
 		shell_print(sh, "no eswifi device registered");
@@ -40,9 +41,16 @@ static int eswifi_shell_atcmd(const struct shell *sh, size_t argc,
 
 	memset(eswifi->buf, 0, sizeof(eswifi->buf));
 	for (i = 1; i < argc; i++) {
-		strcat(eswifi->buf, argv[i]);
+		size_t argv_len = strlen(argv[i]);
+
+		if ((len + argv_len) >= sizeof(eswifi->buf) - 1) {
+			break;
+		}
+
+		memcpy(eswifi->buf + len, argv[i], argv_len);
+		len += argv_len;
 	}
-	strcat(eswifi->buf, "\r");
+	eswifi->buf[len] = '\r';
 
 	shell_print(sh, "> %s", eswifi->buf);
 	eswifi_at_cmd(eswifi, eswifi->buf);