From 749add5c647e1e4e20114c4c74caa0578cf0e531 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 22 Mar 2020 18:37:40 +0200
Subject: [PATCH] Limit freq_range_list_parse() result to UINT_MAX entries

This addresses a theoretical integer overflow with configuration
parameters with 16-bit int.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/utils/common.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/utils/common.c b/src/utils/common.c
index e5b3dcbd4..16aa7b6ee 100644
--- a/src/utils/common.c
+++ b/src/utils/common.c
@@ -791,6 +791,10 @@ int freq_range_list_parse(struct wpa_freq_range_list *res, const char *value)
 	 */
 	pos = value;
 	while (pos && pos[0]) {
+		if (count == UINT_MAX) {
+			os_free(freq);
+			return -1;
+		}
 		n = os_realloc_array(freq, count + 1,
 				     sizeof(struct wpa_freq_range));
 		if (n == NULL) {