From: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Date: Thu, 16 Oct 2025 20:24:56 +0000 (+0300)
Subject: PASN: Allocate a copy of pasn_groups list into pasn_data
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=73fce7cd8d1bc1e86fbad04a0acabd8ead4fcea4;p=thirdparty%2Fhostap.git

PASN: Allocate a copy of pasn_groups list into pasn_data

Instead of pointing at an external memory location that might get
invalidated (e.g., by being actually in stack instead of long term heap
allocation as seems to be the case in src/p2p/p2p.c), allocate a copy of
the list PASN groups into struct pasn_data.

Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
---

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 75c085383..571507596 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2873,7 +2873,8 @@ static void hapd_initialize_pasn(struct hostapd_data *hapd,
 	pasn_set_peer_addr(pasn, sta->addr);
 	pasn_set_wpa_key_mgmt(pasn, hapd->conf->wpa_key_mgmt);
 	pasn_set_rsn_pairwise(pasn, hapd->conf->rsn_pairwise);
-	pasn->pasn_groups = hapd->conf->pasn_groups;
+	os_free(pasn->pasn_groups);
+	pasn->pasn_groups = int_array_dup(hapd->conf->pasn_groups);
 	pasn->noauth = hapd->conf->pasn_noauth;
 	if (hapd->iface->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_AP)
 		pasn_enable_kdk_derivation(pasn);
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index 43c0101eb..b19000f4e 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -7173,7 +7173,8 @@ static int p2p_handle_pasn_auth(struct p2p_data *p2p, struct p2p_device *dev,
 		} else {
 			pasn_groups[0] = 19;
 		}
-		pasn->pasn_groups = pasn_groups;
+		os_free(pasn->pasn_groups);
+		pasn->pasn_groups = int_array_dup(pasn_groups);
 
 		if (p2p_pasn_handle_action_wrapper(p2p, dev, mgmt, len, freq,
 						   auth_transaction)) {
diff --git a/src/pasn/pasn_common.c b/src/pasn/pasn_common.c
index 654656e58..e29221178 100644
--- a/src/pasn/pasn_common.c
+++ b/src/pasn/pasn_common.c
@@ -34,6 +34,7 @@ void pasn_data_deinit(struct pasn_data *pasn)
 		return;
 	os_free(pasn->rsnxe_ie);
 	wpabuf_free(pasn->frame);
+	os_free(pasn->pasn_groups);
 	bin_clear_free(pasn, sizeof(struct pasn_data));
 }