[PATCH] common: Fix misaligned access in get_max_nss_capability()

[Andrei Otcheretianski]

The HE capabilities optional field starts at an odd offset within
the packed struct. Casting &optional[0] or &optional[4] to
le16 * causes misaligned memory access, which is undefined behavior
and crashes wpa_supplicant with sanitizers enabled.
Properly use WPA_GET_LE16() instead.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski at intel.com>
---
 src/common/ieee802_11_common.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index 0dd302e11a..32342f7d99 100644
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -3837,13 +3837,13 @@ unsigned int get_max_nss_capability(struct ieee802_11_elems *elems,
 		const u8 *optional = hecaps->optional;
 
 		if (bw == CHAN_WIDTH_160) {
-			const le16 *mcs_160 = (const le16 *) &optional[0];
-
-			mcs_map = parse_for_rx ? mcs_160[0] : mcs_160[1];
+			mcs_map = host_to_le16(
+				WPA_GET_LE16(parse_for_rx ?
+					     &optional[0] : &optional[2]));
 		} else if (bw == CHAN_WIDTH_80P80) {
-			const le16 *mcs_80p80 = (const le16 *) &optional[4];
-
-			mcs_map = parse_for_rx ? mcs_80p80[0] : mcs_80p80[1];
+			mcs_map = host_to_le16(
+				WPA_GET_LE16(parse_for_rx ?
+					     &optional[4] : &optional[6]));
 		} else {
 			mcs_map = parse_for_rx ?
 				hecaps->he_basic_supported_mcs_set.rx_map :
-- 
2.53.0