From e91ac53d53da3074337b305905f4e4aac4cd72ea Mon Sep 17 00:00:00 2001
From: Jouni Malinen <quic_jouni@quicinc.com>
Date: Wed, 23 Nov 2022 22:51:50 +0200
Subject: [PATCH] DFS: Do not allow channel checks to go beyond the channel
 list

Explicitly check for invalid cases where the configured channel and
bandwidth might result in the full channel number range going beyond the
list of supported channels to avoid reading beyond the end of the
channel buffer.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---
 src/ap/dfs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/ap/dfs.c b/src/ap/dfs.c
index 7f31f283d..e8c5ec9ac 100644
--- a/src/ap/dfs.c
+++ b/src/ap/dfs.c
@@ -445,6 +445,8 @@ static int dfs_check_chans_radar(struct hostapd_iface *iface,
 	mode = iface->current_mode;
 
 	for (i = 0; i < n_chans; i++) {
+		if (start_chan_idx + i >= mode->num_channels)
+			break;
 		channel = &mode->channels[start_chan_idx + i];
 		if (channel->flag & HOSTAPD_CHAN_RADAR)
 			res++;
@@ -797,6 +799,8 @@ static unsigned int dfs_get_cac_time(struct hostapd_iface *iface,
 	mode = iface->current_mode;
 
 	for (i = 0; i < n_chans; i++) {
+		if (start_chan_idx + i >= mode->num_channels)
+			break;
 		channel = &mode->channels[start_chan_idx + i];
 		if (!(channel->flag & HOSTAPD_CHAN_RADAR))
 			continue;