From 73fce7cd8d1bc1e86fbad04a0acabd8ead4fcea4 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Date: Thu, 16 Oct 2025 23:24:56 +0300
Subject: [PATCH] PASN: Allocate a copy of pasn_groups list into pasn_data

Instead of pointing at an external memory location that might get
invalidated (e.g., by being actually in stack instead of long term heap
allocation as seems to be the case in src/p2p/p2p.c), allocate a copy of
the list PASN groups into struct pasn_data.

Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
---
 src/ap/ieee802_11.c    | 3 ++-
 src/p2p/p2p.c          | 3 ++-
 src/pasn/pasn_common.c | 1 +
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 75c085383..571507596 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2873,7 +2873,8 @@ static void hapd_initialize_pasn(struct hostapd_data *hapd,
 	pasn_set_peer_addr(pasn, sta->addr);
 	pasn_set_wpa_key_mgmt(pasn, hapd->conf->wpa_key_mgmt);
 	pasn_set_rsn_pairwise(pasn, hapd->conf->rsn_pairwise);
-	pasn->pasn_groups = hapd->conf->pasn_groups;
+	os_free(pasn->pasn_groups);
+	pasn->pasn_groups = int_array_dup(hapd->conf->pasn_groups);
 	pasn->noauth = hapd->conf->pasn_noauth;
 	if (hapd->iface->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_AP)
 		pasn_enable_kdk_derivation(pasn);
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index 43c0101eb..b19000f4e 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -7173,7 +7173,8 @@ static int p2p_handle_pasn_auth(struct p2p_data *p2p, struct p2p_device *dev,
 		} else {
 			pasn_groups[0] = 19;
 		}
-		pasn->pasn_groups = pasn_groups;
+		os_free(pasn->pasn_groups);
+		pasn->pasn_groups = int_array_dup(pasn_groups);
 
 		if (p2p_pasn_handle_action_wrapper(p2p, dev, mgmt, len, freq,
 						   auth_transaction)) {
diff --git a/src/pasn/pasn_common.c b/src/pasn/pasn_common.c
index 654656e58..e29221178 100644
--- a/src/pasn/pasn_common.c
+++ b/src/pasn/pasn_common.c
@@ -34,6 +34,7 @@ void pasn_data_deinit(struct pasn_data *pasn)
 		return;
 	os_free(pasn->rsnxe_ie);
 	wpabuf_free(pasn->frame);
+	os_free(pasn->pasn_groups);
 	bin_clear_free(pasn, sizeof(struct pasn_data));
 }
 
-- 
2.47.3