[PATCH] wpa_supplicant: Fix parsing of max_oper_chwidth

Sven Eckelmann sven.eckelmann at openmesh.com
Mon May 7 06:24:29 PDT 2018

The max_oper_chwidth is parsed in wpa_config_set as INT_RANGE (see
ssid_fields). The actual parsing for INT_RANGE is done by
wpa_config_parse_int which can only store the result as full integer.

max_oper_chwidth is stored as u8 (a single byte) in wpa_ssid. This means
that on little endian systems, the least significant byte of the parsed
value are really stored in the max_oper_chwidth. But on big endian system,
the only most significant byte is stored as max_oper_chwidth. This means
that 0 is always stored because the provided range doesn't allow any other
value for systems with multi-byte-wide integers.

This also means that for common systems with 4-byte-wide integers, the
remaining 3 bytes were written after the actual member of the struct. This
should not have influenced the behavior of succeeding members because these
bytes would have been part of the padding between the members on most

Increasing its size to a full int fixes the write operations outside of the
member and allows to use the max_oper_chwidth setting on big endian

Fixes: 0f29bc68d18e ("IBSS/mesh: Add support for VHT80P80 configuration")
Signed-off-by: Sven Eckelmann <sven.eckelmann at openmesh.com>
Cc: Ahmad Kholaif <akholaif at qca.qualcomm.com>
Cc: Jouni Malinen <jouni at qca.qualcomm.com>

 wpa_supplicant/config_ssid.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 9fd56c32f..65007795b 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -497,7 +497,7 @@ struct wpa_ssid {
 	int vht;
-	u8 max_oper_chwidth;
+	int max_oper_chwidth;
 	unsigned int vht_center_freq1;
 	unsigned int vht_center_freq2;

More information about the Hostap mailing list