From: Hu Wang <quic_huw@quicinc.com>
Date: Tue, 25 Mar 2025 06:12:03 +0000 (-0700)
Subject: hostapd: Fix static analyzer issue for CHAN_SWITCH 6 GHz bw
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea23746fd79a28a84e426161d4f17e2fb961aef8;p=thirdparty%2Fhostap.git

hostapd: Fix static analyzer issue for CHAN_SWITCH 6 GHz bw

Static analyzer complains:
In hostapd_ctrl_check_freq_params(), Array 'bw_idx' of size 5
may use index value(s) 5.

The highest value that center_idx_to_bw_6ghz(idx) can currently return
is 4, so this is not really able to trigger read beyond the end of the
array. In any case, the bounds check is clearly incorrect and needs to
be fixed so that this is able to handle any potential future extension.

Fixes: 744295c8bc5a ("Add 6 GHz channel validation during channel switching")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---

diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index 7e7b6939b..2edce5ae3 100644
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -2474,7 +2474,7 @@ static int hostapd_ctrl_check_freq_params(struct hostapd_freq_params *params,
 				idx = (params->center_freq1 - 5950) / 5;
 
 			bw = center_idx_to_bw_6ghz(idx);
-			if (bw < 0 || bw > (int) ARRAY_SIZE(bw_idx) ||
+			if (bw < 0 || bw >= (int) ARRAY_SIZE(bw_idx) ||
 			    bw_idx[bw] != params->bandwidth)
 				return -1;
 		}