[PATCH 1/1] wifi: cfg80211: wext: prevent encoding_size overflow in giwrange

[PATCH 1/1] wifi: cfg80211: wext: prevent encoding_size overflow in giwrange

[Ren Wei]

From: Yuqi Xu <xuyuqiabc@gmail.com>

cfg80211_wext_giwrange() appends one encoding_size entry for each
WLAN_CIPHER_SUITE_WEP40 and WLAN_CIPHER_SUITE_WEP104 value advertised by
the wiphy. struct iw_range only provides IW_MAX_ENCODING_SIZES slots in
encoding_size[], so duplicated WEP entries can advance num_encoding_sizes
past the end of the array and corrupt the iw_range buffer returned by
SIOCGIWRANGE.

This can happen when the wiphy cipher list contains duplicated WEP entries.

Only append encoding sizes while there is still room in the fixed-size
array. This keeps the current behaviour for normal cipher lists and
truncates oversized WEP capability lists instead of writing past the end of
the buffer.

Fixes: 2ab658f9ce21 ("cfg80211: set WE encoding size based on available ciphers")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Yuqi Xu <xuyuqiabc@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
 net/wireless/wext-compat.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
index 5a70a0120343..9c5ac7da774c 100644
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -170,13 +170,15 @@ int cfg80211_wext_giwrange(struct net_device *dev,
 			break;
 
 		case WLAN_CIPHER_SUITE_WEP40:
-			range->encoding_size[range->num_encoding_sizes++] =
-				WLAN_KEY_LEN_WEP40;
+			if (range->num_encoding_sizes < IW_MAX_ENCODING_SIZES)
+				range->encoding_size[range->num_encoding_sizes++] =
+					WLAN_KEY_LEN_WEP40;
 			break;
 
 		case WLAN_CIPHER_SUITE_WEP104:
-			range->encoding_size[range->num_encoding_sizes++] =
-				WLAN_KEY_LEN_WEP104;
+			if (range->num_encoding_sizes < IW_MAX_ENCODING_SIZES)
+				range->encoding_size[range->num_encoding_sizes++] =
+					WLAN_KEY_LEN_WEP104;
 			break;
 		}
 	}
-- 
2.52.0

Re: [PATCH 1/1] wifi: cfg80211: wext: prevent encoding_size overflow in giwrange

[Johannes Berg]

On Thu, 2026-04-02 at 20:10 +0800, Ren Wei wrote:
> From: Yuqi Xu <xuyuqiabc@gmail.com>
> 
> cfg80211_wext_giwrange() appends one encoding_size entry for each
> WLAN_CIPHER_SUITE_WEP40 and WLAN_CIPHER_SUITE_WEP104 value advertised by
> the wiphy. struct iw_range only provides IW_MAX_ENCODING_SIZES slots in
> encoding_size[], so duplicated WEP entries can advance num_encoding_sizes
> past the end of the array and corrupt the iw_range buffer returned by
> SIOCGIWRANGE.
> 
> This can happen when the wiphy cipher list contains duplicated WEP entries.

That's pretty ridiculous though, even if it can (right now) be reached
through hwsim.

Probably better to just make cfg80211 reject duplicate entries though
than specifically hacking wext...

johannes