From: Benjamin Berg <benjamin.berg@intel.com>
Date: Thu, 30 Oct 2025 08:24:37 +0000 (+0100)
Subject: wpa_supplicant: Define last_scan_freqs as int_array
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=08e29129da766600074fa1a78a42e5e7c57ffc94;p=thirdparty%2Fhostap.git

wpa_supplicant: Define last_scan_freqs as int_array

Since commit 4435bc1b8abc ("Fix sibling scan results update criteria for
different channels") it is assumed that last_scan_freqs is an int array.
However, it was not so that the comparison would read memory past the
end of the array.

Fixes: 4435bc1b8abc ("Fix sibling scan results update criteria for different channels")
CC: Rohan Dutta <quic_drohan@quicinc.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
---

diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c
index dfd4baef9..d003bf1d0 100644
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -334,17 +334,17 @@ static char * wpas_dpp_scan_channel_list(struct wpa_supplicant *wpa_s)
 	u8 last_op_class = 0;
 	int res;
 
-	if (!wpa_s->last_scan_freqs || !wpa_s->num_last_scan_freqs)
+	len = int_array_len(wpa_s->last_scan_freqs);
+	if (!len)
 		return NULL;
 
-	len = wpa_s->num_last_scan_freqs * 8;
-	str = os_zalloc(len);
+	str = os_zalloc(len * 8);
 	if (!str)
 		return NULL;
 	end = str + len;
 	pos = str;
 
-	for (i = 0; i < wpa_s->num_last_scan_freqs; i++) {
+	for (i = 0; wpa_s->last_scan_freqs[i]; i++) {
 		enum hostapd_hw_mode mode;
 		u8 op_class, channel;
 
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 6c31e3952..d831557b3 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -2657,16 +2657,16 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
 
 	os_free(wpa_s->last_scan_freqs);
 	wpa_s->last_scan_freqs = NULL;
-	wpa_s->num_last_scan_freqs = 0;
 	if (own_request && data &&
 	    data->scan_info.freqs && data->scan_info.num_freqs) {
-		wpa_s->last_scan_freqs = os_malloc(sizeof(int) *
-						   data->scan_info.num_freqs);
+		wpa_s->last_scan_freqs =
+			os_malloc(sizeof(int) *
+				  (data->scan_info.num_freqs + 1));
 		if (wpa_s->last_scan_freqs) {
 			os_memcpy(wpa_s->last_scan_freqs,
 				  data->scan_info.freqs,
 				  sizeof(int) * data->scan_info.num_freqs);
-			wpa_s->num_last_scan_freqs = data->scan_info.num_freqs;
+			wpa_s->last_scan_freqs[data->scan_info.num_freqs] = 0;
 		}
 	}
 
diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index 46989acd4..486ea0b98 100644
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -924,8 +924,7 @@ struct wpa_supplicant {
 
 	struct wpa_ssid_value *ssids_from_scan_req;
 	unsigned int num_ssids_from_scan_req;
-	int *last_scan_freqs;
-	unsigned int num_last_scan_freqs;
+	int *last_scan_freqs; /* int_array */
 	unsigned int suitable_network;
 	unsigned int no_suitable_network;