| Message ID | 20260507191130.36955-1-andrei.otcheretianski@intel.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | common: Fix misaligned access in get_max_nss_capability() | expand |
On Thu, May 07, 2026 at 10:11:27PM +0300, Andrei Otcheretianski wrote: > The HE capabilities optional field starts at an odd offset within > the packed struct. Casting &optional[0] or &optional[4] to > le16 * causes misaligned memory access, which is undefined behavior > and crashes wpa_supplicant with sanitizers enabled. > Properly use WPA_GET_LE16() instead. Thanks, applied.
diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c index 0dd302e11a..32342f7d99 100644 --- a/src/common/ieee802_11_common.c +++ b/src/common/ieee802_11_common.c @@ -3837,13 +3837,13 @@ unsigned int get_max_nss_capability(struct ieee802_11_elems *elems, const u8 *optional = hecaps->optional; if (bw == CHAN_WIDTH_160) { - const le16 *mcs_160 = (const le16 *) &optional[0]; - - mcs_map = parse_for_rx ? mcs_160[0] : mcs_160[1]; + mcs_map = host_to_le16( + WPA_GET_LE16(parse_for_rx ? + &optional[0] : &optional[2])); } else if (bw == CHAN_WIDTH_80P80) { - const le16 *mcs_80p80 = (const le16 *) &optional[4]; - - mcs_map = parse_for_rx ? mcs_80p80[0] : mcs_80p80[1]; + mcs_map = host_to_le16( + WPA_GET_LE16(parse_for_rx ? + &optional[4] : &optional[6])); } else { mcs_map = parse_for_rx ? hecaps->he_basic_supported_mcs_set.rx_map :
The HE capabilities optional field starts at an odd offset within the packed struct. Casting &optional[0] or &optional[4] to le16 * causes misaligned memory access, which is undefined behavior and crashes wpa_supplicant with sanitizers enabled. Properly use WPA_GET_LE16() instead. Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> --- src/common/ieee802_11_common.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)