DFS: Do not allow channel checks to go beyond the channel list

Explicitly check for invalid cases where the configured channel and
bandwidth might result in the full channel number range going beyond the
list of supported channels to avoid reading beyond the end of the
channel buffer.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/ap/dfs.c b/src/ap/dfs.c
index 7f31f283d39d7dbe412af22b80c89f0f1b06b70c..e8c5ec9ac24967629eb220641836ba24a7a40e6b 100644 (file)
--- a/src/ap/dfs.c
+++ b/src/ap/dfs.c
@@ -445,6 +445,8 @@ static int dfs_check_chans_radar(struct hostapd_iface *iface,
        mode = iface->current_mode;
 
        for (i = 0; i < n_chans; i++) {
+               if (start_chan_idx + i >= mode->num_channels)
+                       break;
                channel = &mode->channels[start_chan_idx + i];
                if (channel->flag & HOSTAPD_CHAN_RADAR)
                        res++;
@@ -797,6 +799,8 @@ static unsigned int dfs_get_cac_time(struct hostapd_iface *iface,
        mode = iface->current_mode;
 
        for (i = 0; i < n_chans; i++) {
+               if (start_chan_idx + i >= mode->num_channels)
+                       break;
                channel = &mode->channels[start_chan_idx + i];
                if (!(channel->flag & HOSTAPD_CHAN_RADAR))
                        continue;