From: Jouni Malinen <j@w1.fi>
Date: Sun, 22 Mar 2020 16:37:40 +0000 (+0200)
Subject: Limit freq_range_list_parse() result to UINT_MAX entries
X-Git-Tag: hostap_2_10~1581
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=749add5c647e1e4e20114c4c74caa0578cf0e531;p=thirdparty%2Fhostap.git

Limit freq_range_list_parse() result to UINT_MAX entries

This addresses a theoretical integer overflow with configuration
parameters with 16-bit int.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/utils/common.c b/src/utils/common.c
index e5b3dcbd4..16aa7b6ee 100644
--- a/src/utils/common.c
+++ b/src/utils/common.c
@@ -791,6 +791,10 @@ int freq_range_list_parse(struct wpa_freq_range_list *res, const char *value)
 	 */
 	pos = value;
 	while (pos && pos[0]) {
+		if (count == UINT_MAX) {
+			os_free(freq);
+			return -1;
+		}
 		n = os_realloc_array(freq, count + 1,
 				     sizeof(struct wpa_freq_range));
 		if (n == NULL) {