From: Avraham Stern <avraham.stern@xxxxxxxxx>
The number of frequencies is increased before the boundary check,
thus it should be allowed to be equal to the number of elements in
the array.
In addition, add the missing byte for the NULL terminator.
Signed-off-by: Avraham Stern <avraham.stern@xxxxxxxxx>
---
src/drivers/driver_nl80211_event.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/drivers/driver_nl80211_event.c b/src/drivers/driver_nl80211_event.c
index e3fcb44022..3a2faf63e5 100644
--- a/src/drivers/driver_nl80211_event.c
+++ b/src/drivers/driver_nl80211_event.c
@@ -1717,7 +1717,7 @@ static void send_scan_event(struct wpa_driver_nl80211_data *drv, int aborted,
}
}
if (tb[NL80211_ATTR_SCAN_FREQUENCIES]) {
- char msg[MAX_REPORT_FREQS * 5], *pos, *end;
+ char msg[MAX_REPORT_FREQS * 5 + 1], *pos, *end;
int res;
pos = msg;
@@ -1732,7 +1732,7 @@ static void send_scan_event(struct wpa_driver_nl80211_data *drv, int aborted,
if (!os_snprintf_error(end - pos, res))
pos += res;
num_freqs++;
- if (num_freqs == MAX_REPORT_FREQS - 1)
+ if (num_freqs == MAX_REPORT_FREQS)
break;
}
info->freqs = freqs;
--
2.38.1
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
