[PATCH v2] nl80211: Fix frequencies array boundary check
Andrei Otcheretianski
andrei.otcheretianski at intel.com
Tue Feb 28 03:10:01 PST 2023
From: Avraham Stern <avraham.stern at intel.com>
The number of frequencies is increased before the boundary check,
thus it should be allowed to be equal to the number of elements in
the array.
In addition, add the missing byte for the NULL terminator.
Signed-off-by: Avraham Stern <avraham.stern at intel.com>
---
src/drivers/driver_nl80211_event.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/drivers/driver_nl80211_event.c b/src/drivers/driver_nl80211_event.c
index e3fcb44022..3a2faf63e5 100644
--- a/src/drivers/driver_nl80211_event.c
+++ b/src/drivers/driver_nl80211_event.c
@@ -1717,7 +1717,7 @@ static void send_scan_event(struct wpa_driver_nl80211_data *drv, int aborted,
}
}
if (tb[NL80211_ATTR_SCAN_FREQUENCIES]) {
- char msg[MAX_REPORT_FREQS * 5], *pos, *end;
+ char msg[MAX_REPORT_FREQS * 5 + 1], *pos, *end;
int res;
pos = msg;
@@ -1732,7 +1732,7 @@ static void send_scan_event(struct wpa_driver_nl80211_data *drv, int aborted,
if (!os_snprintf_error(end - pos, res))
pos += res;
num_freqs++;
- if (num_freqs == MAX_REPORT_FREQS - 1)
+ if (num_freqs == MAX_REPORT_FREQS)
break;
}
info->freqs = freqs;
--
2.38.1
More information about the Hostap
mailing list