diff options
| author | Lorenzo Bianconi <lorenzo@kernel.org> | 2026-02-26 20:11:15 +0100 |
|---|---|---|
| committer | Sasha Levin <sashal@kernel.org> | 2026-03-12 07:09:54 -0400 |
| commit | 2831a8c574545101e6d0df50785fccb16474eb3c (patch) | |
| tree | 1bb67c2f715ca6c8f9fd2fc4d2c71891ec068c5c /drivers/net/wireless | |
| parent | f4cdf6b43689e901a341e7147fcfb25057c38eae (diff) | |
| download | linux-2831a8c574545101e6d0df50785fccb16474eb3c.tar.gz linux-2831a8c574545101e6d0df50785fccb16474eb3c.tar.bz2 linux-2831a8c574545101e6d0df50785fccb16474eb3c.zip | |
wifi: mt76: mt7925: Fix possible oob access in mt7925_mac_write_txwi_80211()
[ Upstream commit c41a9abd6ae31d130e8f332e7c8800c4c866234b ]
Check frame length before accessing the mgmt fields in
mt7925_mac_write_txwi_80211 in order to avoid a possible oob access.
Fixes: c948b5da6bbec ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260226-mt76-addba-req-oob-access-v1-2-b0f6d1ad4850@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/net/wireless')
| -rw-r--r-- | drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c index 1e44e96f034e..e880f3820a1a 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c @@ -667,6 +667,7 @@ mt7925_mac_write_txwi_80211(struct mt76_dev *dev, __le32 *txwi, u32 val; if (ieee80211_is_action(fc) && + skb->len >= IEEE80211_MIN_ACTION_SIZE + 1 && mgmt->u.action.category == WLAN_CATEGORY_BACK && mgmt->u.action.u.addba_req.action_code == WLAN_ACTION_ADDBA_REQ) tid = MT_TX_ADDBA; |