From 944d48588915834cdcf5e255b4612f282128da0a Mon Sep 17 00:00:00 2001 From: Amit Purwar Date: Fri, 9 Dec 2016 18:55:59 +0530 Subject: [PATCH] P2P: Fix a theoretical out of bounds read in wpas_p2p_setup_freqs() Commit 370017d968e071522357ea88c0c6aaed02853222 ('P2P: Use preferred frequency list from the local driver') introduced this loop to go through preferred channel list from the driver. The loop does bounds checking of the index only after having read a value from the array. That could in theory read one entry beyond the end of the stack buffer. Fix this by moving the index variable check to be done before using it to fetch a value from the array. This code is used only if wpa_supplicant is build with CONFIG_DRIVER_NL80211_QCA=y and if the driver supports the vendor extension (get_pref_freq_list() driver op). In addition, the driver would need to return more than P2P_MAX_PREF_CHANNELS (= 100) preferred channels for this to actually be able to read beyond the buffer. No driver is known to return that many preferred channels, so this does not seem to be reachable in practice. Signed-off-by: Amit Purwar Signed-off-by: Mayank Haarit --- wpa_supplicant/p2p_supplicant.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c index 2da92bf46..75ee852e8 100644 --- a/wpa_supplicant/p2p_supplicant.c +++ b/wpa_supplicant/p2p_supplicant.c @@ -5239,11 +5239,11 @@ static int wpas_p2p_setup_freqs(struct wpa_supplicant *wpa_s, int freq, if (!res && max_pref_freq > 0) { *num_pref_freq = max_pref_freq; i = 0; - while ((!p2p_supported_freq(wpa_s->global->p2p, + while (i < *num_pref_freq && + (!p2p_supported_freq(wpa_s->global->p2p, pref_freq_list[i]) || wpas_p2p_disallowed_freq(wpa_s->global, - pref_freq_list[i])) && - i < *num_pref_freq) { + pref_freq_list[i]))) { wpa_printf(MSG_DEBUG, "P2P: preferred_freq_list[%d]=%d is disallowed", i, pref_freq_list[i]);