[PATCH 06/18] wpa_supplicant: define last_scan_freqs as int array

Benjamin Berg benjamin at sipsolutions.net
Thu Oct 30 01:24:37 PDT 2025 

From: Benjamin Berg <benjamin.berg at intel.com>

Since commit 4435bc1b8abc ("Fix sibling scan results update criteria for
different channels") it is assumed that last_scan_freqs is an int array.
However, it was not so that the comparison would read memory past the
end of the array.

Fixes: 4435bc1b8abc ("Fix sibling scan results update criteria for different channels")
CC: Rohan Dutta <quic_drohan at quicinc.com>
Signed-off-by: Benjamin Berg <benjamin.berg at intel.com>

---

Hi,

This fixes the invalid memory access. However, I am not entirely
convinced the original commit of simply comparing the frequency arrays
like this makes sense. It seems like one could prevent discarding
relevant scan results in other ways. For example, by not increasing the
scan_miss_count when the frequency of the BSS was not included in the
scan.

Benjamin

Signed-off-by: Benjamin Berg <benjamin.berg at intel.com>
---
 wpa_supplicant/dpp_supplicant.c   | 9 +++++----
 wpa_supplicant/events.c           | 7 +++----
 wpa_supplicant/wpa_supplicant_i.h | 1 -
 3 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c
index 74b0ef1f8f..d893f7b629 100644
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -334,17 +334,18 @@ static char * wpas_dpp_scan_channel_list(struct wpa_supplicant *wpa_s)
 	u8 last_op_class = 0;
 	int res;
 
-	if (!wpa_s->last_scan_freqs || !wpa_s->num_last_scan_freqs)
+	len = int_array_len(wpa_s->last_scan_freqs);
+
+	if (!len)
 		return NULL;
 
-	len = wpa_s->num_last_scan_freqs * 8;
-	str = os_zalloc(len);
+	str = os_zalloc(len * 8);
 	if (!str)
 		return NULL;
 	end = str + len;
 	pos = str;
 
-	for (i = 0; i < wpa_s->num_last_scan_freqs; i++) {
+	for (i = 0; wpa_s->last_scan_freqs[i]; i++) {
 		enum hostapd_hw_mode mode;
 		u8 op_class, channel;
 
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 7ea1199cb7..a61aadf8df 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -2657,16 +2657,15 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
 
 	os_free(wpa_s->last_scan_freqs);
 	wpa_s->last_scan_freqs = NULL;
-	wpa_s->num_last_scan_freqs = 0;
 	if (own_request && data &&
 	    data->scan_info.freqs && data->scan_info.num_freqs) {
-		wpa_s->last_scan_freqs = os_malloc(sizeof(int) *
-						   data->scan_info.num_freqs);
+		wpa_s->last_scan_freqs =
+			os_malloc(sizeof(int) * (data->scan_info.num_freqs + 1));
 		if (wpa_s->last_scan_freqs) {
 			os_memcpy(wpa_s->last_scan_freqs,
 				  data->scan_info.freqs,
 				  sizeof(int) * data->scan_info.num_freqs);
-			wpa_s->num_last_scan_freqs = data->scan_info.num_freqs;
+			wpa_s->last_scan_freqs[data->scan_info.num_freqs] = 0;
 		}
 	}
 
diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index 9780822dfc..c6969d38c4 100644
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -925,7 +925,6 @@ struct wpa_supplicant {
 	struct wpa_ssid_value *ssids_from_scan_req;
 	unsigned int num_ssids_from_scan_req;
 	int *last_scan_freqs;
-	unsigned int num_last_scan_freqs;
 	unsigned int suitable_network;
 	unsigned int no_suitable_network;
 
-- 
2.51.0

More information about the Hostap mailing list