hostapd: ubus: fix beacon request buffer overflow with reporting detail

The reporting detail subelement (up to 3 bytes) was not accounted for in the wpabuf allocation, causing a crash when reporting_detail is set to a valid value (0, 1, or 2). Signed-off-by: Felix Fietkau <nbd@nbd.name>
2026-03-18 15:58:37 +00:00 · 2026-03-18 15:58:37 +00:00 · 0208089ded
commit 0208089ded
parent 06125fc10d
1 changed files with 3 additions and 0 deletions
--- a/package/network/services/hostapd/src/src/ap/ubus.c
+++ b/package/network/services/hostapd/src/src/ap/ubus.c
@ -1212,6 +1212,9 @@ hostapd_rrm_beacon_req(struct ubus_context *ctx, struct ubus_object *obj,
 	if (tb[BEACON_REQ_REPORTING_DETAIL])
 		reporting_detail = blobmsg_get_u32(tb[BEACON_REQ_REPORTING_DETAIL]);

+	if (reporting_detail >= 0 && reporting_detail < 3)
+		buf_len += 3;
+
 	req = wpabuf_alloc(buf_len);
 	if (!req)
 		return UBUS_STATUS_UNKNOWN_ERROR;