diff mbox

Fixed the array out of bound for pref_freq_list in wpas_p2p_setup_freqs() function

Message ID 1481289959-19410-1-git-send-email-amit.purwar@samsung.com
State Accepted
Headers show

Commit Message

Amit Purwar Dec. 9, 2016, 1:25 p.m. UTC 
Signed-off-by: Amit Purwar <amit.purwar@samsung.com>
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
---
 wpa_supplicant/p2p_supplicant.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

Comments

Jouni Malinen Dec. 11, 2016, 11:05 p.m. UTC | #1 
On Fri, Dec 09, 2016 at 06:55:59PM +0530, Amit Purwar wrote:
> diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c
> @@ -5239,11 +5239,10 @@ static int wpas_p2p_setup_freqs(struct wpa_supplicant *wpa_s, int freq,
> -			while ((!p2p_supported_freq(wpa_s->global->p2p,
> +			while (i < *num_pref_freq && (!p2p_supported_freq(wpa_s->global->p2p,
>  						    pref_freq_list[i]) ||

Thanks, applied. It looks like this cannot be reached in practice due to
the array being large enough (P2P_MAX_PREF_CHANNELS = 100) for there to
be any driver that would advertise enough preferred channels to reach
the end of the array. I updated the commit message to say so to make it
easier to understand impact of this.
diff mbox

Patch

diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c
index 2da92bf..afbb5b4 100644
--- a/wpa_supplicant/p2p_supplicant.c
+++ b/wpa_supplicant/p2p_supplicant.c
@@ -5239,11 +5239,10 @@  static int wpas_p2p_setup_freqs(struct wpa_supplicant *wpa_s, int freq,
 		if (!res && max_pref_freq > 0) {
 			*num_pref_freq = max_pref_freq;
 			i = 0;
-			while ((!p2p_supported_freq(wpa_s->global->p2p,
+			while (i < *num_pref_freq && (!p2p_supported_freq(wpa_s->global->p2p,
 						    pref_freq_list[i]) ||
 				wpas_p2p_disallowed_freq(wpa_s->global,
-							pref_freq_list[i])) &&
-			       i < *num_pref_freq) {
+							pref_freq_list[i])) ) {
 				wpa_printf(MSG_DEBUG,
 					   "P2P: preferred_freq_list[%d]=%d is disallowed",
 					   i, pref_freq_list[i]);