wpa_supplicant: Define last_scan_freqs as int_array

Since commit 4435bc1b8abc ("Fix sibling scan results update criteria for
different channels") it is assumed that last_scan_freqs is an int array.
However, it was not so that the comparison would read memory past the
end of the array.

Fixes: 4435bc1b8abc ("Fix sibling scan results update criteria for different channels")
CC: Rohan Dutta <quic_drohan@quicinc.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>

diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c
index dfd4baef9950dc107629b950cb5e80b439d8d0ff..d003bf1d0ef2ccc3a48b832151843c9ae4479305 100644 (file)
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -334,17 +334,17 @@ static char * wpas_dpp_scan_channel_list(struct wpa_supplicant *wpa_s)
        u8 last_op_class = 0;
        int res;
 
-       if (!wpa_s->last_scan_freqs || !wpa_s->num_last_scan_freqs)
+       len = int_array_len(wpa_s->last_scan_freqs);
+       if (!len)
                return NULL;
 
-       len = wpa_s->num_last_scan_freqs * 8;
-       str = os_zalloc(len);
+       str = os_zalloc(len * 8);
        if (!str)
                return NULL;
        end = str + len;
        pos = str;
 
-       for (i = 0; i < wpa_s->num_last_scan_freqs; i++) {
+       for (i = 0; wpa_s->last_scan_freqs[i]; i++) {
                enum hostapd_hw_mode mode;
                u8 op_class, channel;
 

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 6c31e3952b92275000f81d82bafc328bd2cbed49..d831557b343a7ea5198b933ef33fe59a7c4618bb 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -2657,16 +2657,16 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
 
        os_free(wpa_s->last_scan_freqs);
        wpa_s->last_scan_freqs = NULL;
-       wpa_s->num_last_scan_freqs = 0;
        if (own_request && data &&
            data->scan_info.freqs && data->scan_info.num_freqs) {
-               wpa_s->last_scan_freqs = os_malloc(sizeof(int) *
-                                                  data->scan_info.num_freqs);
+               wpa_s->last_scan_freqs =
+                       os_malloc(sizeof(int) *
+                                 (data->scan_info.num_freqs + 1));
                if (wpa_s->last_scan_freqs) {
                        os_memcpy(wpa_s->last_scan_freqs,
                                  data->scan_info.freqs,
                                  sizeof(int) * data->scan_info.num_freqs);
-                       wpa_s->num_last_scan_freqs = data->scan_info.num_freqs;
+                       wpa_s->last_scan_freqs[data->scan_info.num_freqs] = 0;
                }
        }
 

diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index 46989acd4276a888b80557933895da9fe4dd8548..486ea0b98146c341a07983e72d6cd992c841062f 100644 (file)
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -924,8 +924,7 @@ struct wpa_supplicant {
 
        struct wpa_ssid_value *ssids_from_scan_req;
        unsigned int num_ssids_from_scan_req;
-       int *last_scan_freqs;
-       unsigned int num_last_scan_freqs;
+       int *last_scan_freqs; /* int_array */
        unsigned int suitable_network;
        unsigned int no_suitable_network;