Commit
8e84921efe652233703588852bc43c36ccb241df ('P2P: Support driver
preferred freq list for Autonomous GO case') introduced this loop to go
through preferred channel list from the driver. The loop does bounds
checking of the index only after having read a value from the array.
That could in theory read one entry beyond the end of the stack buffer.
Fix this by moving the index variable check to be done before using it
to fetch a value from the array.
This code is used only if wpa_supplicant is build with
CONFIG_DRIVER_NL80211_QCA=y and if the driver supports the vendor
extension (get_pref_freq_list() driver op). In addition, the driver
would need to return more than P2P_MAX_PREF_CHANNELS (= 100) preferred
channels for this to actually be able to read beyond the buffer. No
driver is known to return that many preferred channels, so this does not
seem to be reachable in practice.
Signed-off-by: Amit Purwar <amit.purwar@samsung.com>
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
&size, pref_freq_list);
if (!res && size > 0) {
i = 0;
- while (wpas_p2p_disallowed_freq(wpa_s->global,
- pref_freq_list[i]) &&
- i < size) {
+ while (i < size &&
+ wpas_p2p_disallowed_freq(wpa_s->global,
+ pref_freq_list[i])) {
wpa_printf(MSG_DEBUG,
"P2P: preferred_freq_list[%d]=%d is disallowed",
i, pref_freq_list[i]);
projects / thirdparty / hostap.git / commitdiff
