Re: [PATCH v3 6/6] wifi: mwifiex: fix OOB read from inflated TLV length in IBSS peer event

[Brian Norris <briannorris@chromium.org>]

Hi Tristan,

On Tue, Apr 21, 2026 at 01:49:38PM +0000, Tristan Madani wrote:
> From: Tristan Madani <tristan@talencesecurity.com>
> 
> The IBSS connected handler replaces the buffer-bounded evt_len with
> the firmware-controlled TLV header length. An inflated value drives the
> IE parsing loop past the event buffer into adjacent kernel heap memory.
> 
> Cap the TLV-derived length at the remaining event data size.
> 
> Fixes: 432da7d243da ("mwifiex: add HT aggregation support for adhoc mode")
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
> ---
> Changes in v3:
>   - Regenerated from wireless-next with proper git format-patch to
>     produce valid index hashes (v2 had post-processed index lines).
> 
> Changes in v2:
>   - No code changes from v1.
> 
>  drivers/net/wireless/marvell/mwifiex/sta_event.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/net/wireless/marvell/mwifiex/sta_event.c b/drivers/net/wireless/marvell/mwifiex/sta_event.c
> index 6b7e5b6a66a9e..62a879c09106e 100644
> --- a/drivers/net/wireless/marvell/mwifiex/sta_event.c
> +++ b/drivers/net/wireless/marvell/mwifiex/sta_event.c
> @@ -45,6 +45,10 @@ static int mwifiex_check_ibss_peer_capabilities(struct mwifiex_private *priv,
>  		 */
>  		evt_len = le16_to_cpu(tlv_mgmt_frame->header.len);
>  		curr += (sizeof(*tlv_mgmt_frame) + 12);
> +		if (evt_len > event->len -
> +		    (curr - event->data))
> +			evt_len = event->len -
> +				  (curr - event->data);

The above 4 line have excessive line breaks. You're not even close to 80
characters (the old-school line limit), let alone the more modern 100
limit that checkpatch uses.

Just make this 2 unbroken lines:

		if (condition)
			evt_len = ...;

Brian

>  	} else {
>  		mwifiex_dbg(priv->adapter, MSG,
>  			    "management frame tlv not found!\n");
> -- 
> 2.47.3
>