Fix the out of bound memory in pref_freq_list.

Message ID	1481290156-19528-1-git-send-email-amit.purwar@samsung.com
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Amit Purwar <amit.purwar@samsung.com> To: hostap@lists.infradead.org Subject: [PATCH] Fix the out of bound memory in pref_freq_list. Date: Fri, 09 Dec 2016 18:59:16 +0530 Message-id: <1481290156-19528-1-git-send-email-amit.purwar@samsung.com> summary: Content analysis details: (-8.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, high trust [203.254.224.24 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] Precedence: list Cc: Mayank Haarit <mayank.h@samsung.com>, sachin.dev@samsung.com, Amit Purwar <amit.purwar@samsung.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Message ID

1481290156-19528-1-git-send-email-amit.purwar@samsung.com

State

Accepted

Headers

From: Amit Purwar <amit.purwar@samsung.com>
To: hostap@lists.infradead.org
Subject: [PATCH] Fix the out of bound memory in pref_freq_list.
Date: Fri, 09 Dec 2016 18:59:16 +0530
Message-id: <1481290156-19528-1-git-send-email-amit.purwar@samsung.com>
Precedence: list
Cc: Mayank Haarit <mayank.h@samsung.com>, sachin.dev@samsung.com,
	Amit Purwar <amit.purwar@samsung.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Commit Message

Amit Purwar Dec. 9, 2016, 1:29 p.m. UTC

In while loop first index of pref_freq_list is checked with size of pref_freq_list and then it is accessed.

Signed-off-by: Amit Purwar <amit.purwar@samsung.com>
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
---
 wpa_supplicant/p2p_supplicant.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

Comments

Jouni Malinen Dec. 11, 2016, 11:05 p.m. UTC | #1

On Fri, Dec 09, 2016 at 06:59:16PM +0530, Amit Purwar wrote:
> In while loop first index of pref_freq_list is checked with size of pref_freq_list and then it is accessed.

Thanks, applied. It looks like this cannot be reached in practice due to
the array being large enough (P2P_MAX_PREF_CHANNELS = 100) for there to
be any driver that would advertise enough preferred channels to reach
the end of the array. I updated the commit message to say so to make it
easier to understand impact of this.

diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c
index 2da92bf..f485dd9 100644
--- a/wpa_supplicant/p2p_supplicant.c
+++ b/wpa_supplicant/p2p_supplicant.c
@@ -5606,9 +5606,8 @@  static int wpas_p2p_select_go_freq(struct wpa_supplicant *wpa_s, int freq)
 						 &size, pref_freq_list);
 		if (!res && size > 0) {
 			i = 0;
-			while (wpas_p2p_disallowed_freq(wpa_s->global,
-							pref_freq_list[i]) &&
-			       i < size) {
+			while (i < size && wpas_p2p_disallowed_freq(wpa_s->global,
+							pref_freq_list[i]) ) {
 				wpa_printf(MSG_DEBUG,
 					   "P2P: preferred_freq_list[%d]=%d is disallowed",
 					   i, pref_freq_list[i]);

Fix the out of bound memory in pref_freq_list.

Commit Message

Comments

Patch